Does not work with certificate auth

[owais]

I spent a few days trying to get this to work with client certificate authentication thinking my server had issues but looks issue might be with the library. I tried pywinrm and it works perfectly with equivalent python code. The following python snippet works:

import winrm


def main():
    s = winrm.Session(
        "https://localhost:5986/wsman",
        auth=("", ""),
        transport="certificate",
        cert_pem="winrm_client_cert.pem",
        cert_key_pem="cert.key",
        server_cert_validation="ignore",
    )
    r = s.run_cmd("whoami")
    print(r.status_code)
    print(r.std_out)


if __name__ == "__main__":
    main()

and prints:

While as the following equivalent Go program does not work:

package main

import (
	"context"
	"fmt"
	"log"
	"os"

	"github.com/masterzen/winrm"
)

func main() {
	clientCert, err := os.ReadFile("winrm_client_cert.pem")
	if err != nil {
		log.Fatalf("failed to read client certificate: %q", err)
	}

	clientKey, err := os.ReadFile("cert.key")
	if err != nil {
		log.Fatalf("failed to read client key: %q", err)
	}

	winrm.DefaultParameters.TransportDecorator = func() winrm.Transporter {
		// winrm https module
		return &winrm.ClientAuthRequest{}
	}

	endpoint := winrm.NewEndpoint(
		"localhost", // host to connect to
		5986,        // winrm port
		true,        // use TLS
		true,        // Allow insecure connection
		nil,         // CA certificate
		clientCert,  // Client Certificate
		clientKey,   // Client Key
		0,           // Timeout
	)

	client, err := winrm.NewClient(endpoint, "Administrator", "")
	if err != nil {
		log.Fatalf("failed to create client: %q", err)
	}
	ctx, cancel := context.WithCancel(context.Background())
	defer cancel()
	_, err = client.RunWithContext(ctx, "whoami", os.Stdout, os.Stderr)
	if err != nil {
		log.Fatalf("failed to run command: %q", err)
	}
}

produces the following output:

[owais]

tls.Config{
  MaxVersion: tls.VersionTLS12
  Renegotiation: tls.RenegotiateOnceAsClient
}

It looks like Windows (or this lib) has issues with certificate auth on TLS 1.3+. Restricting to TLS1.2 and enabling Renegotiation fixes these issues and allows Client Certificate auth to work.

[masterzen]

Thanks for testing and reporting this issue. It could be coming from the go version you're using that doesn't support TLS 1.3?
Or something windows side w.r.t. how TLS is implemented?

[owais]

I'm using Go 1.23. It does support both 1.2 and 1.3 but defaults to 1.3 which fails with winRM. Falling back on 1.2 makes everything work.

[owais]

Windows Server 2022 fully supports TLS 1.3, but it is not enabled by default. Enabling TLS 1.3 will allow applications running on Windows Server 2022 to benefit from the improved security and performance of the latest TLS version.

From a blog post so not sure how accurate it is: https://medium.com/thesecmaster/how-to-enable-tls-1-3-on-windows-server-2022-289f33211fad