src/crypto/tls · 93e57a22d5d3c9006b144ddfd9d675967fd810d0 · go / golang

crypto/tls: don't require an explicit client-auth EKU. · c72b8aa3

Adam Langley authored Jun 08, 2015

Previously we enforced both that the extended key usages of a client
certificate chain allowed for client authentication, and that the
client-auth EKU was in the leaf certificate.

This change removes the latter requirement. It's still the case that the
chain must be compatible with the client-auth EKU (i.e. that a parent
certificate isn't limited to another usage, like S/MIME), but we'll now
accept a leaf certificate with no EKUs for client-auth.

While it would be nice if all client certificates were explicit in their
intended purpose, I no longer feel that this battle is worthwhile.

Fixes #11087.

Change-Id: I777e695101cbeba069b730163533e2977f4dc1fc
Reviewed-on: https://go-review.googlesource.com/10806Reviewed-by: Andrew Gerrand <adg@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>

c72b8aa3

Name	Last commit	Last update
..
testdata		Loading commit data...
alert.go		Loading commit data...
cipher_suites.go		Loading commit data...
common.go		Loading commit data...
conn.go		Loading commit data...
conn_test.go		Loading commit data...
example_test.go		Loading commit data...
generate_cert.go		Loading commit data...
handshake_client.go		Loading commit data...
handshake_client_test.go		Loading commit data...
handshake_messages.go		Loading commit data...
handshake_messages_test.go		Loading commit data...
handshake_server.go		Loading commit data...
handshake_server_test.go		Loading commit data...
handshake_test.go		Loading commit data...
key_agreement.go		Loading commit data...
prf.go		Loading commit data...
prf_test.go		Loading commit data...
ticket.go		Loading commit data...
tls.go		Loading commit data...
tls_test.go		Loading commit data...