Hi! I've had a successful TLS mutual authentication client/server setup in Go for a while, but now looking to make some small tweaks.
Specifically, I'm wondering if there is a way to require only a specific client certificate for mutual auth. I'm currently using something like this: // Load cert and build pool caCert, _ := ioutil.ReadFile(caPath) caCertPool := x509.NewCertPool() caCertPool.AppendCertsFromPEM(caCert) // Require client authentication tlsConfig := &tls.Config{ ClientAuth: tls.RequireAndVerifyClientCert, ClientCAs: caCertPool, } Which works fine, however if the PEM file I'm reading in is actually a certificate chain (A issued by B, and B is a root CA), this will actually end up trusting any certificate issued by B, which I don't want. Is there any way I can tweak this code to ONLY trust the specific A certificate? It seems that if I only include A in the loaded PEM file, the server handshake code (https://golang.org/src/crypto/tls/handshake_server.go line 429) tells the client "send me all your certs signed by A", which of course is not what I want, as cert A is not signed by A. Ideally I'd want to say "you require specifically certificate A" to connect successfully. Is there such a mechanism? -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.