crypto/tls: explicitly require ExtKeyUsageClientAuth for client certs

If we aren't explicit about the KeyUsages, the verifier will treat the certificate as a server certificate and require it to have a ExtKeyUsageServerAuth key usage. R=golang-dev CC=golang-dev https://golang.org/cl/6453148

crypto/tls: explicitly require ExtKeyUsageClientAuth for client certs
If we aren't explicit about the KeyUsages, the verifier will treat the certificate as a server certificate and require it to have a ExtKeyUsageServerAuth key usage. R=golang-dev CC=golang-dev https://golang.org/cl/6453148
67924c1b · Mikkel Krautz · Adam Langley · 58064a7c · 67924c1b
Commit 67924c1b authored Aug 18, 2012 by Mikkel Krautz Committed by Adam Langley Aug 18, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

handshake_server.go src/pkg/crypto/tls/handshake_server.go +1 -0

No files found.
--- a/src/pkg/crypto/tls/handshake_server.go
+++ b/src/pkg/crypto/tls/handshake_server.go
@@ -211,6 +211,7 @@ FindCipherSuite:
 				Roots:         c.config.ClientCAs,
 				CurrentTime:   c.config.time(),
 				Intermediates: x509.NewCertPool(),
+				KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 			}

 			for i, cert := range certs {