crypto/tls: explicitly require ExtKeyUsageClientAuth for client certs

If we aren't explicit about the KeyUsages, the verifier
will treat the certificate as a server certificate and require
it to have a ExtKeyUsageServerAuth key usage.

R=golang-dev
CC=golang-dev
https://golang.org/cl/6453148

diff --git a/src/pkg/crypto/tls/handshake_server.go b/src/pkg/crypto/tls/handshake_server.go
index 76adc540c7126e1a0009e475fcd8ad4211f6f075..e5049a2f0db9fde1b966bb873299d5d99ac96f34 100644 (file)
--- a/src/pkg/crypto/tls/handshake_server.go
+++ b/src/pkg/crypto/tls/handshake_server.go
@@ -211,6 +211,7 @@ FindCipherSuite:
                                Roots:         c.config.ClientCAs,
                                CurrentTime:   c.config.time(),
                                Intermediates: x509.NewCertPool(),
+                               KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
                        }
 
                        for i, cert := range certs {