Hi
I'm having issues authenticating to our servers, which require client side authentication.
Im sure it has to do with this bug but i couldn't find a straight answer on how to bypass/workaround this besides using go-curl. Any suggestion would be welcome even if it requires changing some configuration on the server which by the way is running apache.
I will need to build a windows and linux, and possibly mobile, versions for this app and i had issues before, when i got started with go, cross compiling with go-curl, and to keep using net/http would be much nicer
This is how im connecting to our server, pretty simple..
// Load client cert
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
log.Fatal(err)
}
// Load CA cert
caCert, err := ioutil.ReadFile(caFile)
if err != nil {
log.Fatal(err)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
caCert2, err := ioutil.ReadFile(caFile2)
if err != nil {
log.Fatal(err)
}
caCertPool.AppendCertsFromPEM(caCert2)
caCert3, err := ioutil.ReadFile(caFile3)
if err != nil {
log.Fatal(err)
}
caCertPool.AppendCertsFromPEM(caCert3)
// Setup HTTPS client
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
//RootCAs: caCertPool,
InsecureSkipVerify: true,
ClientAuth: tls.VerifyClientCertIfGiven,
MinVersion: tls.VersionTLS10,
MaxVersion: tls.VersionTLS10,
}
tlsConfig.BuildNameToCertificate()
transport := &http.Transport{TLSClientConfig: tlsConfig}
client := &http.Client{Transport: transport}
I've tried many combinations of the tls.Config with no success but i allways get a
local error: no renegotiation
or
remote error: handshake failure
if i meddle with the cipher suites
Thanks!
评论:
nerdy900:
norwat:Are you doing something with your server that a simple:
http.Get("https://myurl")will not work? If you have a valid ssl setup on your server, it works out of the box.
Edit: I misunderstood the thread, I thought that this bug was fixed in go1.5.
nerdy900:The current setup requires a client to provide a valid ssl certificate in order access the server, the example i showed should work with most cases, but it does not for our servers. And i was unable to figure what are the valid server side ssl configurations in order to work with go.
norwat:Yeah, from the looks of it, this bugfix has been pushed back to go1.7 :( Most of the threads I saw recommended either disabling security(I absolutely do not like this), or using go-curl.
Best of luck!
Although this works https://gist.github.com/ncw/9253562 if i could figure out what settings are required in apache/nginx to duplicate this i could keep net/http but it does seam i have to revert to go-curl and work out the cross compile issues later.
Thanks
