I can authenticate users via certificate with tls.Config and RequireAndVerifyClientCert to my CA, that's working just fine.
What I'd like to do however is to *only* require and verify the cert if they don't have a valid session cookie. I know that the session is only available after TLS, but the client cert is also not available always. I only want the cert to be required for an initial authentication and then after certain timeout periods. Is there any way to tell the client to reconnect but this time present a certificate? I don't think there is, but trying to work through this. I could run the service on a different port and then have separate tls.Config options (require cert or not), but the fat client I'm dealing with doesn't like the different port -- it only wants 443. I've also thought about authenticating on a different domain name auth.service then redirecting to data.service or something like that where the cookie would be issued to the *.service domain, however that's still one tls.Config and using SNI with tls.Config.GetCertificate() and I don't know of a way to change the tls.Config.ClientAuth for a server based upon the SNI. Any ideas? -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAD53Lr5Cy44eRdmqOx9JaKuZEuNUJChL52%2BNxVy-QhAvSx%2BDjg%40mail.gmail.com.
