Skip to content

crypto/tls: allow choosing ClientAuth (and others?) based on SNI #15707

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
FiloSottile opened this issue May 16, 2016 · 6 comments
Closed

crypto/tls: allow choosing ClientAuth (and others?) based on SNI #15707

FiloSottile opened this issue May 16, 2016 · 6 comments
Labels
FeatureRequest Issues asking for a new feature that does not need a proposal. FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.8Maybe

Comments

@FiloSottile
Copy link
Contributor

tls.Config.ClientAuth is global per server, however there's no reason it shouldn't be a func(clientHello *ClientHelloInfo) (ClientAuthType, *x509.CertPool). See example use case in caddyserver/caddy#829.

On the other hand, the same can be said about NextProtos (already a desired feature, to have HTTP/2 enabled only on some hosts, caddyserver/caddy#189), CipherSuites, SessionTicketKey, ClientSessionCache, CurvePreferences...

I suspect some of them have issues open about them already, but couldn't find them.
@FiloSottile FiloSottile mentioned this issue May 16, 2016
Closed
@bradfitz bradfitz modified the milestones: Go1.7Maybe, Go1.8Maybe May 16, 2016
@bradfitz bradfitz added the FeatureRequest Issues asking for a new feature that does not need a proposal. label May 16, 2016
@danp
Copy link
Contributor

danp commented May 17, 2016

Probably related to #15699.

@elcore elcore mentioned this issue May 26, 2016
Closed
@groob
Copy link
Contributor

groob commented Jun 12, 2016

The ability to do this in a Go application would be great for internet facing services. Currently it's relatively easy to support Let's Encrypt, but this limitation requires us to go back to using HAProxy.

My application bundles a SCEP server to issue client certificates and then requires the client to provide the cert at another SNI. Currently it's impossible to do both in a single Go server without using two separate ports.

@danp danp mentioned this issue Jun 30, 2016
Closed
@agl
Copy link
Contributor

agl commented Jul 11, 2016

I hope to spend a week working on Go in the 1.8 cycle and to address this.

@danp
Copy link
Contributor

danp commented Aug 16, 2016

Noticed title prefix of this issue has a typo: crpyto -> crypto

@bradfitz bradfitz changed the title crpyto/tls: allow choosing ClientAuth (and others?) based on SNI crypto/tls: allow choosing ClientAuth (and others?) based on SNI Aug 16, 2016
@bradfitz bradfitz mentioned this issue Sep 29, 2016
Closed
@bradfitz
Copy link
Contributor

See #16066 for a related issue and my comment #16066 (comment) for one idea.

@quentinmit quentinmit added the NeedsFix The path to resolution is known, but the work has not been done. label Oct 10, 2016
@gopherbot
Copy link
Contributor

CL https://golang.org/cl/30790 mentions this issue.

@golang golang locked and limited conversation to collaborators Oct 18, 2017
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
@agl @bradfitz
crypto/tls: add Config.GetConfigForClient
0b98d05 
GetConfigForClient allows the tls.Config to be updated on a per-client
basis.

Fixes golang#16066.
Fixes golang#15707.
Fixes golang#15699.

Change-Id: I2c675a443d557f969441226729f98502b38901ea
Reviewed-on: https://go-review.googlesource.com/30790
Run-TryBot: Adam Langley <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
Reviewed-by: Brad Fitzpatrick <[email protected]>
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
@agl @bradfitz
crypto/tls: add Config.GetConfigForClient
826c39c 
GetConfigForClient allows the tls.Config to be updated on a per-client
basis.

Fixes golang#16066.
Fixes golang#15707.
Fixes golang#15699.

Change-Id: I2c675a443d557f969441226729f98502b38901ea
Reviewed-on: https://go-review.googlesource.com/30790
Run-TryBot: Adam Langley <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
Reviewed-by: Brad Fitzpatrick <[email protected]>
@rsc rsc unassigned agl Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FeatureRequest Issues asking for a new feature that does not need a proposal. FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.8Maybe
Development

No branches or pull requests
7 participants
@danp @bradfitz @agl @quentinmit @FiloSottile @groob @gopherbot