tls.ConnectionState.PeerCertificate nil with wss websockets?
385 views
Skip to first unread message
kortschak
Feb 19, 2012, 2:32:03 AM2/19/12
to golang-nuts
I've been using go.net/websockets over tls, and with a minor exception
everything works like a dream, straight out of the box.
The problem I'm having is that the tls.ConnectionState has a nil
PeerCertificate field. This is not the case when I use a tls
connection directly. (I'm setting a websocket.Config to contain an
appropriate *tls.Config and then calling tls.DialConfig and this
handshakes successfully).
Should I be able to retrieve the PeerCertificate values from the ws
server side? (My reading of net/http says that I should). I would like
to be able to log some of the certificate details in the server.
thanks
everything works like a dream, straight out of the box.
The problem I'm having is that the tls.ConnectionState has a nil
PeerCertificate field. This is not the case when I use a tls
connection directly. (I'm setting a websocket.Config to contain an
appropriate *tls.Config and then calling tls.DialConfig and this
handshakes successfully).
Should I be able to retrieve the PeerCertificate values from the ws
server side? (My reading of net/http says that I should). I would like
to be able to log some of the certificate details in the server.
thanks
kortschak
Feb 19, 2012, 8:04:43 PM2/19/12
to golang-nuts
Having had a further look it's something that comes from using net/
http.
Here is a comparison of net/http and raw tls https://gist.github.com/1866829
What I'm confused about is how the handshake is complete but the peer
certificates field is empty. I can't call Handshake in the handler
since the underlying connection is not visible at that stage unless I
use Hijack, but since I want to use with with websocket, that's not
possible as far as I can see.
any help would be greatly appreciated
http.
Here is a comparison of net/http and raw tls https://gist.github.com/1866829
What I'm confused about is how the handshake is complete but the peer
certificates field is empty. I can't call Handshake in the handler
since the underlying connection is not visible at that stage unless I
use Hijack, but since I want to use with with websocket, that's not
possible as far as I can see.
any help would be greatly appreciated
kortschak
Feb 20, 2012, 1:12:00 AM2/20/12
to golang-nuts
I've figured out why this is not possible. The tls.Config used by
ListenAndServe is very minimal and there is no way to alter the auth
settings. This change
# hg diff
diff -r 43cf9b39b647 src/pkg/net/http/server.go
--- a/src/pkg/net/http/server.go Wed Feb 15 14:41:47 2012 +1100
+++ b/src/pkg/net/http/server.go Mon Feb 20 16:28:24 2012 +1030
@@ -1124,6 +1124,7 @@
config := &tls.Config{
Rand: rand.Reader,
NextProtos: []string{"http/1.1"},
+ ClientAuth: tls.RequireAnyClientCert,
}
var err error
altered the behaviour so that I could get client certs. Is there any
possibility that this could be changed in the API rather than having
to hack at the library to do reasonably sane things?
thanks
On Feb 20, 11:04 am, kortschak <dan.kortsc...@adelaide.edu.au> wrote:
> Having had a further look it's something that comes from using net/
> http.
>
> Here is a comparison of net/http and raw tlshttps://gist.github.com/1866829
ListenAndServe is very minimal and there is no way to alter the auth
settings. This change
# hg diff
diff -r 43cf9b39b647 src/pkg/net/http/server.go
--- a/src/pkg/net/http/server.go Wed Feb 15 14:41:47 2012 +1100
+++ b/src/pkg/net/http/server.go Mon Feb 20 16:28:24 2012 +1030
@@ -1124,6 +1124,7 @@
config := &tls.Config{
Rand: rand.Reader,
NextProtos: []string{"http/1.1"},
+ ClientAuth: tls.RequireAnyClientCert,
}
var err error
altered the behaviour so that I could get client certs. Is there any
possibility that this could be changed in the API rather than having
to hack at the library to do reasonably sane things?
thanks
On Feb 20, 11:04 am, kortschak <dan.kortsc...@adelaide.edu.au> wrote:
> Having had a further look it's something that comes from using net/
> http.
>
Brad Fitzpatrick
Feb 20, 2012, 1:19:14 AM2/20/12
to kortschak, golang-nuts
Something like,
May or may not be too late for Go 1, though. I'll send it out for review.
Dan Kortschak
Feb 20, 2012, 1:23:19 AM2/20/12
to Brad Fitzpatrick, golang-nuts
You are a gentleman.
After my post I realised there are no unexported fields, so
ListenAndServe can be copied with alterations into my application to get
the same outcome.
thanks
Brad Fitzpatrick
Feb 20, 2012, 6:26:19 PM2/20/12
to Dan Kortschak, golang-nuts
It's now submitted.
Reply all
Reply to author
Forward
0 new messages