mirror
/
go
mirror of https://github.com/golang/go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

doc/go1.21: document changes in crypto/tls related to client authentication alerts 

For #52113
For #58645

Change-Id: Id7dff2570132588da95fb4216a86faf34fa2cbdc
GitHub-Last-Rev: 94eabfe82f
GitHub-Pull-Request: golang/go#60972
Reviewed-on: https://go-review.googlesource.com/c/go/+/505436
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
This commit is contained in:
Anit Gandhi 2023-06-27 16:55:45 +00:00 committed by Gopher Robot
parent 3c25d832af
commit 3ca90ed866
1 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
doc/go1.21.html
View File

@ -585,6 +585,32 @@ Do not send CLs removing the interior tags from such phrases.
The new <a href="/pkg/crypto/tls/#VersionName"><code>VersionName</code></a> function The new <a href="/pkg/crypto/tls/#VersionName"><code>VersionName</code></a> function
returns the name for a TLS version number. returns the name for a TLS version number.
</p> </p>
<p><!-- https://go.dev/issue/52113, CL 410496 -->
The TLS alert codes sent from the server for client authentication failures have
been improved. Prior to Go 1.21, these failures always resulted in a "bad certificate" alert.
Starting from Go 1.21, certain failures will result in more appropriate alert codes,
as defined by RFC 5246 and RFC 8446:
<ul>
<li>
For TLS 1.3 connections, if the server is configured to require client authentication using
<a href="/pkg/crypto/tls/#RequireAnyClientCert"></code>RequireAnyClientCert</code></a> or
<a href="/pkg/crypto/tls/#RequireAndVerifyClientCert"></code>RequireAndVerifyClientCert</code></a>,
and the client does not provide any certificate, the server will now return the "certificate required" alert.
</li>
<li>
If the client provides a certificate that is not signed by the set of trusted certificate authorities
configured on the server, the server will return the "unknown certificate authority" alert.
</li>
<li>
If the client provides a certificate that is either expired or not yet valid,
the server will return the "expired certificate" alert.
</li>
<li>
In all other scenarios related to client authentication failures, the server still returns "bad certificate".
</li>
</ul>
</p>
</dd> </dd>
</dl><!-- crypto/tls --> </dl><!-- crypto/tls -->