cmd/go: add GOAUTH support for TLS client certificates#80371
Conversation
GOAUTH can provide HTTP request headers, but it cannot configure client certificates needed during TLS handshakes. Add a built-in mtls method that associates PEM certificate and private key files with one canonical HTTPS origin. Load the files only for matching requests and use a distinct cloned transport for each configuration so redirects re-evaluate certificate selection. Reject mTLS when GOINSECURE applies or when an HTTPS proxy is selected. Keep normal server certificate verification unchanged. Add unit and script tests covering origin matching, redirects, lazy loading, combined and separate PEM files, go-import discovery, and HTTPS GOPROXY use. For golang#30119
|
This PR (HEAD: d1c1d3d) has been imported to Gerrit for code review. Please visit Gerrit at https://go-review.googlesource.com/c/go/+/799701. Important tips:
|
|
Message from Gopher Robot: Patch Set 1: Congratulations on opening your first change. Thank you for your contribution! Next steps: Most changes in the Go project go through a few rounds of revision. This can be During May-July and Nov-Jan the Go project is in a code freeze, during which Please don’t reply on this GitHub thread. Visit golang.org/cl/799701. |
GOAUTH can provide HTTP request headers, but it cannot configure client
certificates needed during TLS handshakes.
Add a built-in mtls method that associates PEM certificate and private
key files with one canonical HTTPS origin. Load the files only for
matching requests and use a distinct cloned transport for each
configuration so redirects re-evaluate certificate selection.
Reject mTLS when GOINSECURE applies or when an HTTPS proxy is selected.
Keep normal server certificate verification unchanged. Add unit and
script tests covering origin matching, redirects, lazy loading,
combined and separate PEM files, go-import discovery, and HTTPS
GOPROXY use.
For #30119