Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • release-branch.go1.25
  • dev.simd
  • release-branch.go1.24
  • release-branch.go1.23
  • release-branch.go1.22
  • dev.coretypes
  • freebsd-netlink
  • release-branch.go1.21
  • release-branch.go1.20
  • release-branch.go1.19
  • release-branch.go1.4
  • dev.inline
  • dev.boringcrypto
  • dev.boringcrypto.go1.18
  • release-branch.go1.18
  • dev.unified
  • dev.boringcrypto.go1.17
  • release-branch.go1.17
  • dev.boringcrypto.go1.16
  • go1.24.4
  • go1.23.10
  • go1.23.9
  • go1.24.3
  • go1.23.8
  • go1.24.2
  • go1.24.1
  • go1.23.7
  • go1.24.0
  • go1.24rc3
  • go1.22.12
  • go1.23.6
  • go1.24rc2
  • go1.22.11
  • go1.23.5
  • go1.24rc1
  • go1.23.4
  • go1.22.10
  • go1.23.3
  • go1.22.9
40 results
Blame Permalink
  • Daniel McCarney's avatar
    fd605450
    crypto/tls: fix TLS <1.3 client cert required alert · fd605450
    Daniel McCarney authored 
    Previously for protocol versions older than TLS 1.3 our server handshake
implementation sent an alertBadCertificate alert in the case where the
server TLS config indicates a client cert is required and none was
received.

This commit updates the relevant logic to instead send
alertHandshakeFailure in these circumstances.

For TLS 1.2, RFC 5246 §7.4.6 unambiguously describes this as the correct
alert:
  If the client does not send any certificates, the
  server MAY at its discretion either continue the handshake without
  client authentication, or respond with a fatal handshake_failure
  alert.

The TLS 1.1 and 1.0 specs also describe using this alert (RFC 4346 §7.4.6
and RFC 2246 §7.4.6) both say:
  If client authentication is required by the server for the handshake
  to continue, it may respond with a fatal handshake failure alert.

Making this correction also allows enabling the
RequireAnyClientCertificate-TLS1* bogo tests.

Updates #72006
Change-Id: I27a2cd231e4b8762b0d9e2dbd3d8ddd5b87fd5c8
Reviewed-on: https://go-review.googlesource.com/c/go/+/671195


LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: default avatarCherry Mui <cherryyz@google.com>
Reviewed-by: default avatarRoland Shoemaker <roland@golang.org>
    fd605450
    History
    crypto/tls: fix TLS <1.3 client cert required alert
    Daniel McCarney authored 
    Previously for protocol versions older than TLS 1.3 our server handshake
implementation sent an alertBadCertificate alert in the case where the
server TLS config indicates a client cert is required and none was
received.

This commit updates the relevant logic to instead send
alertHandshakeFailure in these circumstances.

For TLS 1.2, RFC 5246 §7.4.6 unambiguously describes this as the correct
alert:
  If the client does not send any certificates, the
  server MAY at its discretion either continue the handshake without
  client authentication, or respond with a fatal handshake_failure
  alert.

The TLS 1.1 and 1.0 specs also describe using this alert (RFC 4346 §7.4.6
and RFC 2246 §7.4.6) both say:
  If client authentication is required by the server for the handshake
  to continue, it may respond with a fatal handshake failure alert.

Making this correction also allows enabling the
RequireAnyClientCertificate-TLS1* bogo tests.

Updates #72006
Change-Id: I27a2cd231e4b8762b0d9e2dbd3d8ddd5b87fd5c8
Reviewed-on: https://go-review.googlesource.com/c/go/+/671195


LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: default avatarCherry Mui <cherryyz@google.com>
Reviewed-by: default avatarRoland Shoemaker <roland@golang.org>
Code owners
Assign users and groups as approvers for specific file changes. Learn more.