crypto/tls: explicitly require ExtKeyUsageClientAuth for client certs
If we aren't explicit about the KeyUsages, the verifier will treat the certificate as a server certificate and require it to have a ExtKeyUsageServerAuth key usage. R=golang-dev CC=golang-dev https://golang.org/cl/6453148
This commit is contained in:
Mikkel Krautz
Adam Langley
parent
d32fa8a79a
commit
0c7b858b3e
@ -211,6 +211,7 @@ FindCipherSuite:
|
|||||||
Roots: c.config.ClientCAs,
|
Roots: c.config.ClientCAs,
|
||||||
CurrentTime: c.config.time(),
|
CurrentTime: c.config.time(),
|
||||||
Intermediates: x509.NewCertPool(),
|
Intermediates: x509.NewCertPool(),
|
||||||
|
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
|
||||||
}
|
}
|
||||||
|
|
||||||
for i, cert := range certs {
|
for i, cert := range certs {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user