crypto/tls: Support providing additional _intermediate_ certs for verification in tls.Config

[alex]

What version of Go are you using (go version)?

$ go version
go version go1.12.4 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/alex/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/alex/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build103295892=/tmp/go-build -gno-record-gcc-switches"

What did you do?

In a TLS connection, the server is supposed to send a chain of certificates that connects from the leaf to the root founding in a client's trust store. Unfortunately some servers are misconfigured, and do not send the necessary intermediates (generally they only serve a leaf, although every once in a while you see one that serves the wrong intermediate).

In order to work around this, developers often find either the leaf or the intermediate for the server they're trying to communicate with, and add it to the trust store. This is unfortunate because it's relatively brittle (particularly if they add the leaf, which should rotate regularly), and it's less secure -- if the root is removed from their trust store, connections will continue to be trusted.

Instead, if there was a way to provide tls.Config with additional Intermediates, this could be used more safely -- it would not override the trusted roots, merely allow users to compensate for misconfigured servers.

I believe fixing this would look like adding a Intermediates x509.CertPool onto tls.Config and then copying it over for verification around here https://github.com/golang/go/blob/master/src/crypto/tls/handshake_client.go#L827 (and the equivalent for the server side, naturally).

[FiloSottile]

This is possible by setting InsecureSkipVerify and VerifyPeerCertificate. I'm inclined not to add a dedicated option because it's not that much of a common use case, and I suspect that it might require custom logic based on the peer's certificates anyway, so the VerifyPeerCertificate callback is the right place for that logic.

Opened #31792 to add an example.

[alex]

Thanks for the quick reply! I'll defer my contemplation of whether I want to advocate more for this proposal until the example is added to the docs, so I can have a sense of what the level of complexity involved is. Thanks!

[gopherbot]

Change https://golang.org/cl/193620 mentions this issue: crypto/tls: add ExampleConfig_VerifyPeerCertificate