---
title: Validate mTLS Certificates Before Auth
impact: CRITICAL
impactDescription: ensures mutual authentication between services
tags: mtls, certificates, authentication, service-mesh, security
---

## Validate mTLS Certificates Before Auth

Mutual TLS ensures both parties are authenticated. Always validate client certificates before processing requests.

**Incorrect (skipping certificate validation):**

```go
// Accepting any client certificate
server := &http.Server{
    TLSConfig: &tls.Config{
        ClientAuth: tls.RequestClientCert, // Does NOT reject invalid certs
    },
}
```

**Correct (proper mTLS validation):**

```go
// Load CA cert
caCert, _ := os.ReadFile("ca.crt")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)

tlsConfig := &tls.Config{
    ClientCAs:  caCertPool,
    ClientAuth: tls.RequireAndVerifyClientCert, // Require AND Verify
}

server := &http.Server{
    TLSConfig: tlsConfig,
}

// Additional validation in handler
func handler(w http.ResponseWriter, r *http.Request) {
    if len(r.TLS.PeerCertificates) > 0 {
        cert := r.TLS.PeerCertificates[0]
        if cert.Subject.CommonName != "trusted-service" {
            http.Error(w, "Forbidden", 403)
            return
        }
    }
}
```

**Tools:** `crypto/tls`, `crypto/x509`, Service Mesh (Istio, Linkerd)
