Ah, just had a closer look at the screenshot. It seems that the server sends Certificate Request message. The Certificate Request contains a list of all CA RDNs that are accepted by the server, (which can be an empty list, in which case cert signed by CA should be accepted).
It would be easier to debug the issue if you could post the screenshot of the server hello message from Wireshark. My guess is that the certificate that you have set in the client was not signed a CA allowed by the server. Your TLS config from the go playground looks OK, the one you posted here also. I would suggest running openssl s_client with the -debug flag to connect to the TLS server and check if everything is OK on the server side. The -debug flag should print all the client/server certificates, and the list of accepted signing CAs for the client certificate if you pass in one. The same way you could run openssl s_server and use your go client to connect to it to debug the other side. It should not be necessary though. I am suprised that the server doesn't terminate the TLS handshake if it doesn't receive an acceptable certificate. That is how my servers are configured anyway (Yes, this is configurable, and hence I suspect that the culprit is the server config). W dniu poniedziałek, 19 lutego 2018 20:43:23 UTC użytkownik Maciej Gałkowski napisał: > > Hi, This might be a red herring, but are you sure that your server > requires a client cert? > As far as I can understand the RFC > https://tools.ietf.org/html/rfc5246#section-7.4.4 > <https://www.google.com/url?q=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc5246%23section-7.4.4&sa=D&sntz=1&usg=AFQjCNHW2hs0OK5PAatq6YXF9rhFznGmzg>, > > it is the server that sends a certificate request to the client so it can > authenticate. > > W dniu poniedziałek, 19 lutego 2018 08:46:13 UTC użytkownik Miha Zoubek > napisał: >> >> Hello >> >> tnx for help. >> >> I tried like: >> >> tlsConfig := &tls.Config{ >> Certificates: []tls.Certificate{cert}, >> RootCAs: caCertPool, >> InsecureSkipVerify: false, >> } >> >> //tlsConfig.BuildNameToCertificate() >> transport := &http.Transport{TLSClientConfig: tlsConfig} >> client := &http.Client{Transport: transport} >> >> but it is the same thing. What about GetClientCertificate() config, how >> to use, should this help? >> // GetClientCertificate, if not nil, is called when a server requests a >> // certificate from a client. If set, the contents of Certificates will >> // be ignored. >> >> >> >> V V pon., 19. feb. 2018 ob 09:33 je oseba Jakob Borg <ja...@kastelo.net> >> napisala: >> >>> Try without using Config.BuildNameToCertificate. That’s a server side >>> thing and I doubt it does what you want on the client side. >>> >>> //jb >>> >>> On 16 Feb 2018, at 14:41, mzo...@gmail.com wrote: >>> >>> Hello >>> >>> this is my code: >>> https://play.golang.org/p/yxhYXEVMPjB >>> >>> >>> I got certificate in pfx format, I extraced client, CA, private >>> certificate which i imported in my program. >>> # Extract Public Key (ask for password) >>> openssl pkcs12 -in file.pfx -out file_public.pem -clcerts -nokeys >>> >>> # Extract Certificate Authority Key (ask for password) >>> openssl pkcs12 -in file.pfx -out file_ca.pem -cacerts -nokeys >>> >>> # Extract Private Key (ask for password) >>> openssl pkcs12 -in file.pfx -out file_private.pem -nocerts -nodes >>> >>> >>> I need to send certificate in request to server but the thing is that i >>> get from server that certificate is not included in request. I did trace >>> also with WireShark and there is no certificate appanded in request. >>> >>> >>> Thank you for all your help! >>> miha >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "golang-nuts" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to golang-nuts...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
