[go-nuts] go client issue with apache SSL

Tue, 30 Oct 2018 16:29:39 -0700 

Hi,
I'm experience a weird problem with Go client accessing apache SSL server. 
I need to authenticate my client with my X509 certificates. Here is a 
client code:

// helper function to create a client
func HttpClient() *http.Client {
    uckey := os.Getenv("X509_USER_KEY")
    ucert := os.Getenv("X509_USER_CERT")
    cert, err := tls.LoadX509KeyPair(ucert, uckey)
    if err != nil {
        panic(err.Error())
    }
    certs := []tls.Certificate{cert}
    // root CA
    caCert, err := ioutil.ReadFile("my-grid-CA.pem")
    if err != nil {
        panic(err.Error())
    }
    caCertPool := x509.NewCertPool()
    caCertPool.AppendCertsFromPEM(caCert)
    tlsConfig := &tls.Config{Certificates: certs, RootCAs: caCertPool}
    tlsConfig.BuildNameToCertificate()
    tr := &http.Transport{TLSClientConfig: tlsConfig}
    return &http.Client{Transport: tr}
}

Then I use the following code to make an HTTPs call:

rurl := "MY_URL"
req, _ := http.NewRequest("GET", rurl, nil)
req.Header.Add("Accept-Encoding", "identity") // I setup other headers in a 
similar way
client := HttpClient()
resp, err := client.Do(req)

And, I'm getting authentication error because my client certificates are 
not propagated into apache server.
>From the apache server I found that mod_ssl extract my server CA and 
creates SSL_SERVER_CERT and similar SSL_SERVER headers, but for client 
certificates it only creates
SSL_CLIENT_VERIFY: NONE
SSL_CLIENT_CERT:
and nothing else. If I use python code or plain curl I do see that apache 
correctly identifies client certificates, extracts my DN, etc., i.e. it 
setups up SSL_CLIENT_S_DN and other headers, which later used by 
authentication code.

How to dump in Go code the request along with passed certificates? I used 
httputil.DumpRequestOut but it does not print my certificates, it only 
provides info about request headers.

What else am I missing,
I would appreciate any help,
Valentin.

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to