Go client issue with apache SSL


(Valentin Kuznetsov) #1

Hi,
I’m experience a weird problem with Go client accessing apache SSL server. I need to authenticate my client with my X509 certificates. Here is a client code:

// helper function to create a client
func HttpClient() *http.Client {
    uckey := os.Getenv("X509_USER_KEY")
    ucert := os.Getenv("X509_USER_CERT")
    cert, err := tls.LoadX509KeyPair(ucert, uckey)
    if err != nil {
        panic(err.Error())
    }
    certs := []tls.Certificate{cert}
    // root CA
    caCert, err := ioutil.ReadFile("my-grid-CA.pem")
    if err != nil {
        panic(err.Error())
    }
    caCertPool := x509.NewCertPool()
    caCertPool.AppendCertsFromPEM(caCert)
    tlsConfig := &tls.Config{Certificates: certs, RootCAs: caCertPool}
    tlsConfig.BuildNameToCertificate()
    tr := &http.Transport{TLSClientConfig: tlsConfig}
    return &http.Client{Transport: tr}
}

Then I use the following code to make an HTTPs call:

rurl := "MY_URL"
req, _ := http.NewRequest("GET", rurl, nil)
req.Header.Add("Accept-Encoding", "identity") // I setup other headers in a similar way
client := HttpClient()
resp, err := client.Do(req)

And, I’m getting authentication error because my client certificates are not propagated into apache server.
From the apache server I found that mod_ssl extract my server CA and creates SSL_SERVER_CERT and similar SSL_SERVER headers, but for client certificates it only creates

SSL_CLIENT_VERIFY: NONE
SSL_CLIENT_CERT:

and nothing else. If I use python code or plain curl I do see that apache correctly identifies client certificates, extracts my DN, etc., i.e. it setups up SSL_CLIENT_S_DN and other headers, which later used by authentication code.

How to dump in Go code the request along with passed certificates? I used httputil.DumpRequestOut but it does not print my certificates, it only provides info about request headers.

What else am I missing,
I would appreciate any help,
Valentin.


(Valentin Kuznetsov) #2

I found a remedy. Turns out that it is misconfiguration of apache server who supposes to follow the chain of client certificates provided by go client. Surprisingly it is not the case of curl and python clients, i.e. when I used them the apache server was able to recognize client certificates. The actual configuration for apache requires the following parameters:

SSLCECertificatePath /path/certificates

SSLCARevocationPath /path/certificates

SSLCARevocationCheck chain

Without these options apache will unable to recognize DN of x509 certificate passed by go client.