File tree 1 file changed +26
-0
lines changed 1 file changed +26
-0
lines changed Original file line number Diff line number Diff line change @@ -585,6 +585,32 @@ <h3 id="minor_library_changes">Minor changes to the library</h3>
585585 The new < a href ="/pkg/crypto/tls/#VersionName "> < code > VersionName</ code > </ a > function
586586 returns the name for a TLS version number.
587587 </ p >
588+
589+ < p > <!-- https://go.dev/issue/52113, CL 410496 -->
590+ The TLS alert codes sent from the server for client authentication failures have
591+ been improved. Prior to Go 1.21, these failures always resulted in a "bad certificate" alert.
592+ Starting from Go 1.21, certain failures will result in more appropriate alert codes,
593+ as defined by RFC 5246 and RFC 8446:
594+ < ul >
595+ < li >
596+ For TLS 1.3 connections, if the server is configured to require client authentication using
597+ < a href ="/pkg/crypto/tls/#RequireAnyClientCert "> </ code > RequireAnyClientCert</ code > </ a > or
598+ < a href ="/pkg/crypto/tls/#RequireAndVerifyClientCert "> </ code > RequireAndVerifyClientCert</ code > </ a > ,
599+ and the client does not provide any certificate, the server will now return the "certificate required" alert.
600+ </ li >
601+ < li >
602+ If the client provides a certificate that is not signed by the set of trusted certificate authorities
603+ configured on the server, the server will return the "unknown certificate authority" alert.
604+ </ li >
605+ < li >
606+ If the client provides a certificate that is either expired or not yet valid,
607+ the server will return the "expired certificate" alert.
608+ </ li >
609+ < li >
610+ In all other scenarios related to client authentication failures, the server still returns "bad certificate".
611+ </ li >
612+ </ ul >
613+ </ p >
588614 </ dd >
589615</ dl > <!-- crypto/tls -->
590616
You can’t perform that action at this time.
0 commit comments