--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
I agree completely. I made a CR to modify the package, but it wasn't received well: https://go-review.googlesource.com/#/c/11734/
We've not found an approach for communicating with the device sofar unless using patched Go stdlib.
On Wednesday, 8 June 2022 at 10:09:26 UTC+1 andig wrote:We've not found an approach for communicating with the device sofar unless using patched Go stdlib.Connect via a proxy like stunnel?Out of interest, does raw "openssl s_client" allow communication with the device?
We receive an alert 40 (Handshake failure ) when using openssl. So the cert is definitively faulty in some way.
:~/wallbox/hack$ openssl s_client -connect 192.168.1.180:4712
CONNECTED(00000005)
depth=0 CN = EEBUS, O = EVBox Intelligence, C = NL
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = EEBUS, O = EVBox Intelligence, C = NL
verify return:1
140477570593216:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40
---
Certificate chain
0 s:CN = EEBUS, O = EVBox Intelligence, C = NL
i:CN = EEBUS, O = EVBox Intelligence, C = NL
---
Server certificate
-----BEGIN CERTIFICATE-----
It would seem reasonable to me for InsecureSkipVerify to skip certificates without parsing them at all. It is, after all, insecure by definition.
We receive an alert 40 (Handshake failure ) when using openssl. So the cert is definitively faulty in some way.
:~/wallbox/hack$ openssl s_client -connect 192.168.1.180:4712
Seems that in this case- if we regard openssl as "the standard" it's obsolete to talk about Go.
I forgot to add one thing, and you didn't paste the whole certificate PEM so I can't check this.Recent versions of Go won't verify the certificate unless it contains a subjectAltName; matching against only the CN is no longer supported.
So if you do get your vendor to re-issue the cert, make sure it also includes a DNS SAN, if it doesn't already. It doesn't matter if it's just a string like "EEBUS"; you can specify the ServerName at connection time.
On Thursday, 9 June 2022 at 17:38:04 UTC+1 Brian Candler wrote:
On Thursday, June 9, 2022 at 6:44:58 PM UTC+2 Brian Candler wrote:I forgot to add one thing, and you didn't paste the whole certificate PEM so I can't check this.Recent versions of Go won't verify the certificate unless it contains a subjectAltName; matching against only the CN is no longer supported.I am aware of the rejection of SHA1 hashes, but not this change. Could you kindly share the CL or release note? Much appreciated!