Skip to content
This repository was archived by the owner on Jun 19, 2025. It is now read-only.

Use GetClientCertificate to ensure client certificate is sent #498

Merged
aead merged 1 commit into from
Dec 30, 2024
Merged

Use GetClientCertificate to ensure client certificate is sent #498

aead merged 1 commit into from
Dec 30, 2024

Conversation

@ramondeklein
Copy link
Contributor

@ramondeklein ramondeklein commented Dec 30, 2024
edited
Loading

It looks like tls.Config.Certificates will not always send the client certificate.

The Go TLS code contains the following:

func (c *Conn) getClientCertificate(cri *CertificateRequestInfo) (*Certificate, error) {
	if c.config.GetClientCertificate != nil {
		return c.config.GetClientCertificate(cri)
	}

	for _, chain := range c.config.Certificates {
		if err := cri.SupportsCertificate(&chain); err != nil {
			continue
		}
		return &chain, nil
	}

	// No acceptable certificate found. Don't send a certificate.
	return new(Certificate), nil
}

So if the certificate doesn't match the conditions in cri.SupportsCertificate, then it won't be sent.

@ramondeklein ramondeklein self-assigned this Dec 30, 2024
@ramondeklein ramondeklein requested a review from aead December 30, 2024 17:14
@aead aead merged commit 4945c09 into minio:master Dec 30, 2024
8 checks passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@aead aead aead approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@ramondeklein ramondeklein

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ramondeklein @aead