Changes to x509 in Go 1.18
1,161 views
Skip to first unread message
Jim Idle
Mar 24, 2022, 2:10:10 AM3/24/22
to golang-nuts
Having just upgraded to 1.18, I find that quite a few encrypted connections, for instance https to a Neptune instance on AWS, now fail with:
x509: “*.xxxxxxxxx.neptune.amazonaws.com” certificate is not standards compliant
It seems to be related to this comment:
I don’t immediately see anything on how to get around this via google searches, though I see some changelists concerning x509 for 1.18. I am not able to change the Neptune certificate, which may indeed not be quite standards compliant, as the error message suggests. However, it is not just Neptune - I see some people having issues with redid for instance.
Apologies if this has been addressed somewhere that I have not found. Perhaps with more time, I will find some workaround or solution, but I thought asking here may help.
Any input/workarounds appreciated, as well as any insight into the reason for change.
Jim
Jim Idle
Mar 28, 2022, 8:41:34 PM3/28/22
to Davanum Srinivas, golang-nuts
Yes - look like it is for slightly different reasons. Apple have decided on a new policy for verifying certificates and the certificate must have either two (younger certs) or three (older certs) valid SCTs. I suspect that you could re-issue your cert to comply with this, but I am not sure about your mechanism for this. It seems though that even if Go 1.18 was patched to let such a failure through - and it isn’t clear that it should be, as per the TODO - that it would not help with AWS as it seems that they don’t have ANY SCTs in their certificates. AWS will have have to re-issue probably all their certificates, which leaves some of us a bit screwed for a while.
This isn’t my area of expertise, but it seems that perhaps Apple have been a bit too aggressive on this. I hazard a guess that what they have implemented is likely correct, but if a company such as Apple makes such a change, I think they should have made more noise about it, so that other companies knew about the change.
So, a combination of OSX 12.3 with Go 1.18 will trigger this, unless you have the ability to re-issue certificates with the requisite number of SCTs. I have no control over most AWS certificates - they are issued by AWS, for AWS. So now, I will have to ask AWS if they can do anything about it. But I can’t see them re-issuing certificates for all their myriad services, overnight.
Jim
PS: I quote the ticket you raised, in case it is useful to others:
On Mar 29, 2022 at 2:48:34 AM, Davanum Srinivas <dav...@gmail.com> wrote:
Jim,Looks like we ended up seeing the same problem in a kubernetes test case as well:-- Dims
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAGPPfg-PtW7dqeNKo72fvLsLZ1Qg2i_AwmUBJcTGMNgeHUhfCA%40mail.gmail.com.
--Davanum Srinivas :: https://twitter.com/dims
Jordan Liggitt
Mar 28, 2022, 10:13:43 PM3/28/22
to golang-nuts
Do you have a standalone reproducer of a certificate go1.17 considered valid that go1.18 does not? If so, can you file an issue at https://github.com/golang/go/issues for investigation?
Davanum Srinivas
Mar 28, 2022, 10:13:44 PM3/28/22
to Jim Idle, golang-nuts
Thanks for the additional info Jim. thanks! in our case it's a unit test that we could control, but we just got worried about things in the wild like your case for sure when we ship a go1.18 based kubectl.
thanks,
Dims
Davanum Srinivas
Mar 28, 2022, 10:13:45 PM3/28/22
to Jim Idle, golang-nuts
Jim,
Looks like we ended up seeing the same problem in a kubernetes test case as well:
-- Dims
On Thu, Mar 24, 2022 at 2:09 AM Jim Idle <ji...@idle.ws> wrote:
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAGPPfg-PtW7dqeNKo72fvLsLZ1Qg2i_AwmUBJcTGMNgeHUhfCA%40mail.gmail.com.
Jim Idle
Mar 28, 2022, 11:45:21 PM3/28/22
to Jordan Liggitt, golang-nuts
The issue is here already: https://github.com/golang/go/issues/51991 - the causes seems to be already known.
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/2dcb264a-25a0-4122-ab1b-7db88aac3bcdn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages