[go-nuts] Re: ListenAndServerTLS() godoc comment

Mon, 18 Sep 2017 23:52:37 -0700 

I am no TLS expert, but your question makes me wonder why the server should 
*not* serve the root CA's certificate. After all, it contains the signature 
<https://en.wikipedia.org/wiki/Public_key_certificate#TLS.2FSSL_server_certificate>
 
that validates the server's certificate (either directly of via one or more 
intermediate CA's signatures). How can the client verify the server's 
certificate if the root CA's signature is not handed over to it?

On Monday, September 18, 2017 at 9:42:19 PM UTC+2, Karsten Weiss wrote:
>
> Hi,
>
> I have a question about ListenAndServeTLS()'s godoc comment:
>
> // ListenAndServeTLS acts identically to ListenAndServe, except that it 
> // expects HTTPS connections. Additionally, files containing a 
> certificate and 
> // matching private key for the server must be provided. If the 
> certificate 
> // is signed by a certificate authority, the certFile should be the 
> concatenation 
> // of the server's certificate, any intermediates, and the CA's 
> certificate.
>
> I'm surprised about the last part ("and the CA's certificate").
>
> A TLS web server usually does not serve the root CA certificate (only the
> server's certificate and all the intermediate certificates). The root CA 
> certs
> OTOH are stored in the client's root certificate store.
>
> However, the godoc comment seems to indicate that the root CA certificate
> is expected.  Am I misunderstanding the comment?
>
> I would have expected the following godoc comment instead:
>
> // ListenAndServeTLS acts identically to ListenAndServe, except that it 
> // expects HTTPS connections. Additionally, files containing a 
> certificate and 
> // matching private key for the server must be provided. If the 
> certificate 
> // is signed by a certificate authority, the certFile should be the 
> concatenation 
> // of the server's certificate, any intermediates, but NOT the root CA's 
> certificate.
>
> Comments?
>

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to