About "godebug (x509negativeserial=1)"
181 views
Skip to first unread message
David Karr
Jun 11, 2025, 5:36:55 PMJun 11
to golang-nuts
This may be better asked in a k8s forum, but I'm not aware of a good one, and as I've never seen this anywhere but in Go applications, perhaps someone here will know about this.
In our enterprise, we have a bunch of k8s clusters. I have a bunch of Go code using the k8s client api to get data from those clusters. For some reason, when I attempt to connect to some of those clusters, I get a "negative serial number" error. After some digging, I found that adding "godebug (x509negativeserial=1)" to your go.mod will work around this problem.
The thing is, I also wrote some code that examines the cluster cert and its serial number, and in the cases where I've gotten this error, I've never found a serial number that was negative. Perhaps it's negative if it's assumed to be a limited number of bits? I have no idea.
I also saw this error today when someone tried to run "helm" to get something on an external web site, and after I did "export GODEBUG=x509negativeserial=1", that resolved that problem.
Anyone know anything about this?
Jason E. Aten
Jun 11, 2025, 11:33:55 PMJun 11
to golang-nuts
https://pkg.go.dev/crypto/x509#ParseCertificate
says
serial := new(big.Int)
if !tbs.ReadASN1Integer(serial) {
return nil, errors.New("x509: malformed serial number")
}
if serial.Sign() == -1 {
if x509negativeserial.Value() != "1" {
return nil, errors.New("x509: negative serial number")
}
if !tbs.ReadASN1Integer(serial) {
return nil, errors.New("x509: malformed serial number")
}
if serial.Sign() == -1 {
if x509negativeserial.Value() != "1" {
return nil, errors.New("x509: negative serial number")
}
so you could run tbs.ReadASN1Integer
on your certs serial numbers to see which if any are old...
var tbs cryptobyte.String seems to imply it is using
so that code would be, in the v0.39.0 version,
Jason E. Aten
Jun 11, 2025, 11:42:01 PMJun 11
to golang-nuts
Maybe the TLS clients are providing certs too, and those are old?
Jason E. Aten
Jun 12, 2025, 12:10:59 AMJun 12
to golang-nuts
I don't know enough of your operational context, but for some organizations, someone hitting your servers with old
certs like that could be considered a potentially malicious attack, and "working around it" by turning
off the check might expose you to deeper vulnerabilities--that you might better wish to avoid.
David Karr
Jun 12, 2025, 12:10:17 PMJun 12
to golang-nuts
Note that this is the command line that got the "negative serial number" error: "helm repo add coder-v2 https://helm.coder.com/v2". That should be reachable by anyone else, so you could inspect that cert.
I'll try to integrate that code for inspecting the serial number.
Reply all
Reply to author
Forward
0 new messages