TLS Handshake Failure Logging

[Erika B]

Hi Gophers! Is there a way to get the subject of a client cert when the TLS handshake fails? We are getting spammed with TLS handshake errors and there is no easy way to see what clients are trying to authenticate. The remote address in the log is the load balancer IP.  Ideally, we’d like to log the client cert subject when TLS handshake fails. 

http: TLS handshake error from 10.x.x.x:12345: tls: failed to verify client certificate

http: TLS handshake error from 10.x.x.x:12345: tls: client didn't provide a certificate

caCert, _ := ioutil.ReadFile("ca.crt")

caCertPool := x509.NewCertPool()

caCertPool.AppendCertsFromPEM(caCert)

tlsConfig := &tls.Config{

    ClientCAs: caCertPool,

    ClientAuth: tls.RequireAndVerifyClientCert,

}

tlsConfig.BuildNameToCertificate()

r := mux.NewRouter()

r.HandleFunc("/", client.DefaultHandler)

server := &http.Server{

    Addr:      ":9443",

    TLSConfig: tlsConfig,

    Handler: r,

}

server.ListenAndServeTLS("server.crt", "server.key")