[go-nuts] Re: mutual TLS authentication (sometimes)

Wed, 20 Nov 2019 01:17:45 -0800 

Matthew Zimmerman <mzimmer...@gmail.com> once said:
> I've also thought about authenticating on a different domain name
> auth.service then redirecting to data.service or something like that where
> the cookie would be issued to the *.service domain, however that's still
> one tls.Config and using SNI with tls.Config.GetCertificate() and I don't
> know of a way to change the tls.Config.ClientAuth for a server based upon
> the SNI.
> 
> Any ideas?

% go doc crypto/tls Config.GetConfigForClient
package tls // import "crypto/tls"

type Config struct {
    // GetConfigForClient, if not nil, is called after a ClientHello is received
    // from a client. It may return a non-nil Config in order to change the 
Config
    // that will be used to handle this connection. If the returned Config is 
nil,
    // the original Config will be used. The Config returned by this callback 
may
    // not be subsequently modified.
    //
    // If GetConfigForClient is nil, the Config passed to Server() will be used 
for
    // all connections.
    //
    // Uniquely for the fields in the returned Config, session ticket keys will 
be
    // duplicated from the original Config if not set. Specifically, if
    // SetSessionTicketKeys was called on the original config but not on the
    // returned config then the ticket keys from the original config will be 
copied
    // into the new config before use. Otherwise, if SessionTicketKey was set in
    // the original config but not in the returned config then it will be copied
    // into the returned config before use. If neither of those cases applies 
then
    // the key material from the returned config will be used for session 
tickets.
    GetConfigForClient func(*ClientHelloInfo) (*Config, error)

    // ... other fields elided ...
}
%

Cheers,
  Anthony

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/20191120091723.GA87289%40alice.

Reply via email to