Rhy*_*man 6 authentication ssl go x509
I'm trying out TLS client authentication using go. It worked fine when I created a simple self-signed client certificate with ExtKeyUsageClientAuth set, but when a client tries to connect with a longer certificate chain:
CA -> intermediate -> client
I get the following error: x509: certificate specifies an incompatible key usage
The relevant calls are
handshake_server.go: processCertsFromClient()
verify.go: checkChainForKeyUsage()
and if I'm reading the code right it looks like every single certificate in my chain must have the client auth extended key set.
I'm no x509 expert but that seems like a strange requirement, I've never seen a CA or an intermediate certificate that had client auth set. I don’t see how can you be expected to configure a long lived CA to handle all possible future key usages.
So where's the mistake?
I can think of a few possibilities
| 归档时间: |
|
| 查看次数: |
3308 次 |
| 最近记录: |