Problem while communicating by HTTPS

[ksrang...@gmail.com]

Hi,

We have used golang 1.4 to create a Client on a Linux Machine.

We came across an issue while attempting to communicate to our Windows Server using HTTPS.

On analyzing, an error was thrown by the crypto/x509 package. The error was : 'x509: negative serial number'.

We generate & use a self-signed certificate at the Server. It was found that the Serial Number of the Certificate was '93:C0.....'.

Since golang assigns SerialNumber as bit.Int (Signed). It considers this to be Negative (1st digit is 1).

This doesn't seem to be a problem when using C++ or Objective C (which don't seem to enforce this SerialNumber condition as strictly).

We were able to regenerate the self-signed certificate to have a positive serial number in our test environment & it worked. But, this solution is not scalable, as it will affect all our existing setups.

Hence, we searched for provisions in the golang API, to override this check. But, were unsuccessful.

As this seems to be an existing problem :  https://groups.google.com/forum/#!topic/golang-nuts/IYzJewF0HEY, http://code.google.com/p/go/issues/detail?id=8265

So, we opted for another solution. Since, golang is opensource, we commented the Negative Serial Number Check in the source package crypto/x509/x509.go. And, recompiled the packages using all.bash

Change made to : 'crypto/x509/x509.go'

__________________________________________________

func parseCertificate(in *certificate) (*Certificate, error) {

        ..

        ..

871 // if in.TBSCertificate.SerialNumber.Sign() < 0 {

872 // return nil, errors.New("x509: negative serial number")

873 // }

        ..

        ..

}

This solved our problem. And, the HTTPS communication was established from our Linux Clients.

The following are my questions :

1. Will there be any repercussions, if we comment this check ?

2. Is there any provision for this in golang that we may have missed out ? If not, is this there any chance for it to be brought up in the near future ?

3. Why is it that golang follows this strictly, while the older languages neglect it ? (C++ & Objective C, as far as I know)

Thanks,

Rangaraj

[Benjamin Thomas]

Hello list,

I ran into this issue myself trying to connect to HP printers over HTTPS.

Recompiling go as suggested works but is very clunky IMO.

Is there no other way to work around this issue?

[Egon]

On Wednesday, 8 July 2015 16:57:24 UTC+3, Benjamin Thomas wrote:

Hello list,

I ran into this issue myself trying to connect to HP printers over HTTPS.

Recompiling go as suggested works but is very clunky IMO.

Is there no other way to work around this issue?

See issue https://github.com/golang/go/issues/8265

The serial number MUST be positive per spec.

Add comment to that issue that you've found an additional case.

[Benjamin Thomas]

Thanks for the feedback Egon, I commented on that issue as suggested.