crypto/tls: RequireAndVerifyClientCert not rejecting bad client cert on 1.10 that it was on 1.9 #23884
Description
What version of Go are you using (go version)?
$ go version
go version go1.10 linux/amd64
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (go env)?
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/psanford/.cache/go-build"
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/psanford/projects/nearbuy/storenet/go"
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build417289417=/tmp/go-build -gno-record-gcc-switches"
What did you do?
Ran the following program on 1.9.4 and 1.10:
https://play.golang.org/p/gt67v9Ih7Te
The https server is requiring client certs with RequireAndVerifyClientCert. The client is using a weird (bad?) cert that has ExtKeyUsage: x509.ExtKeyUsageServerAuth instead of x509.ExtKeyUsageClientAuth.
What did you expect to see?
On 1.9.4 the https server rejects the weird client cert:
2018/02/17 02:19:06 http: TLS handshake error from 127.0.0.1:57370: tls: failed to verify client's certificate: x509: certificate specifies an incompatible key usage
panic: Get https://127.0.0.1:4443: remote error: tls: bad certificate
What did you see instead?
On 1.10 it accepts the client cert.
response status: 200 OK
Hello, "/"
done