server doesn't close the connection when certificate verification fails #16

marten-seemann · 2019-02-21T07:15:13Z

The only condition for which it works properly is when the signature of the certificate is wrong (i.e. the client is using a certificate that was issued for a different key). All other error conditions, e.g. expired cert, invalid length cert chain, etc., don't generate an error. For the client, the connection will stay open and Read will block indefinitely.

The text was updated successfully, but these errors were encountered:

marten-seemann · 2019-02-21T07:23:27Z

Unfortunately, the Go standard library doesn't provide us any method to send a TLS alert (tls.Conn.sendAlert is not exported). So if we verify the certificate chain after establishing the connection, all we can do is call tls.Conn.Close(), which will be interpreted as a regular EOF by the client, not as an error.
The only way to actually send a TLS alert seems to be to return an error from the tls.Config.VerifyPeerCertificate callback. However, I really want to avoid parsing the client's certificate chain twice.

marten-seemann added the kind/bug A bug in existing code (including security flaws) label Feb 21, 2019

marten-seemann mentioned this issue Feb 21, 2019

improve peer verification #17

Merged

marten-seemann closed this as completed in #17 Feb 28, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

server doesn't close the connection when certificate verification fails #16

server doesn't close the connection when certificate verification fails #16

marten-seemann commented Feb 21, 2019

marten-seemann commented Feb 21, 2019

server doesn't close the connection when certificate verification fails #16

server doesn't close the connection when certificate verification fails #16

Comments

marten-seemann commented Feb 21, 2019

marten-seemann commented Feb 21, 2019