tls/client auth: verify first certificates in client request (#3344)

When client certificate is enabled Caddy check only last certificate from request. When this cert is not in list of trusted leaf certificates, connection is rejected. According to RFC TLS1.x the sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it. This patch fix this problem - first certificate is checked instead of last.
author: Karol Będkowski <KarolBedkowski@users.noreply.github.com> 2020-05-06 16:07:13 +0000
committer: GitHub <noreply@github.com> 2020-05-06 10:07:13 -0600
commit: b814c0af9c2c20a92f86e4db9836fd6b127dcf5b (patch)
tree: a35dd0edf9d14c610f21dc96cfef63ec04cd176c /modules/caddytls
parent: 9e5d9e2530109c72a406979fabe9ac5352171423 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 1de7c2e..3a18061 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -395,7 +395,7 @@ func (clientauth ClientAuthentication) verifyPeerCertificate(rawCerts [][]byte,
 		return fmt.Errorf("no client certificate provided")
 	}
 
-	remoteLeafCert, err := x509.ParseCertificate(rawCerts[len(rawCerts)-1])
+	remoteLeafCert, err := x509.ParseCertificate(rawCerts[0])
 	if err != nil {
 		return fmt.Errorf("can't parse the given certificate: %s", err.Error())
 	}
author	Karol Będkowski <KarolBedkowski@users.noreply.github.com>	2020-05-06 16:07:13 +0000
committer	GitHub <noreply@github.com>	2020-05-06 10:07:13 -0600
commit	b814c0af9c2c20a92f86e4db9836fd6b127dcf5b (patch)
tree	a35dd0edf9d14c610f21dc96cfef63ec04cd176c /modules/caddytls
parent	9e5d9e2530109c72a406979fabe9ac5352171423 (diff)