mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-13 22:51:08 -05:00
tls/client auth: verify first certificates in client request (#3344)
When client certificate is enabled Caddy check only last certificate from request. When this cert is not in list of trusted leaf certificates, connection is rejected. According to RFC TLS1.x the sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it. This patch fix this problem - first certificate is checked instead of last.
This commit is contained in:
parent
9e5d9e2530
commit
b814c0af9c
1 changed files with 1 additions and 1 deletions
|
@ -395,7 +395,7 @@ func (clientauth ClientAuthentication) verifyPeerCertificate(rawCerts [][]byte,
|
||||||
return fmt.Errorf("no client certificate provided")
|
return fmt.Errorf("no client certificate provided")
|
||||||
}
|
}
|
||||||
|
|
||||||
remoteLeafCert, err := x509.ParseCertificate(rawCerts[len(rawCerts)-1])
|
remoteLeafCert, err := x509.ParseCertificate(rawCerts[0])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("can't parse the given certificate: %s", err.Error())
|
return fmt.Errorf("can't parse the given certificate: %s", err.Error())
|
||||||
}
|
}
|
||||||
|
|
Loading…
Add table
Reference in a new issue