Hi!
I've had a successful TLS mutual authentication client/server setup in Go
for a while, but now looking to make some small tweaks.
Specifically, I'm wondering if there is a way to require only a specific
client certificate for mutual auth.
I'm currently using something like this:
// Load cert and build pool
caCert, _ := ioutil.ReadFile(caPath)
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
// Require client authentication
tlsConfig := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: caCertPool,
}
Which works fine, however if the PEM file I'm reading in is actually a
certificate chain (A issued by B, and B is a root CA), this will actually
end up trusting any certificate issued by B, which I don't want.
Is there any way I can tweak this code to ONLY trust the specific A
certificate?
It seems that if I only include A in the loaded PEM file, the server
handshake code (https://golang.org/src/crypto/tls/handshake_server.go line
429) tells the client "send me all your certs signed by A", which of course
is not what I want, as cert A is not signed by A.
Ideally I'd want to say "you require specifically certificate A" to connect
successfully. Is there such a mechanism?
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
