Changes to x509 in Go 1.18

420 views
Skip to first unread message

Jim Idle

unread,
Mar 24, 2022, 2:10:10 AMMar 24
to golang-nuts
Having just upgraded to 1.18, I find that quite a few encrypted connections, for instance https to a Neptune instance on AWS, now fail with:

x509: “*.xxxxxxxxx.neptune.amazonaws.com” certificate is not standards compliant

It seems to be related to this comment:


I don’t immediately see anything on how to get around this via google searches, though I see some changelists concerning x509 for 1.18. I am not able to change the Neptune certificate, which may indeed not be quite standards compliant, as the error message suggests. However, it is not just Neptune - I see some people having issues with redid for instance.

Apologies if this has been addressed somewhere that I have not found. Perhaps with more time, I will find some workaround or solution, but I thought asking here may help.

Any input/workarounds appreciated, as well as any insight into the reason for change.

Jim

Jim Idle

unread,
Mar 28, 2022, 8:41:34 PMMar 28
to Davanum Srinivas, golang-nuts
Yes - look like it is for slightly different reasons. Apple have decided on a new policy for verifying certificates and the certificate must have either two (younger certs) or three (older certs) valid SCTs. I suspect that you could re-issue your cert to comply with this, but I am not sure about your mechanism for this. It seems though that even if Go 1.18 was patched to let such a failure through - and it isn’t clear that it should be, as per the TODO - that it would not help with AWS as it seems that they don’t have ANY SCTs in their certificates. AWS will have have to re-issue probably all their certificates, which leaves some of us a bit screwed for a while. 

This isn’t my area of expertise, but it seems that perhaps Apple have been a bit too aggressive on this. I hazard a guess that what they have implemented is likely correct, but if a company such as Apple makes such a change, I think they should have made more noise about it, so that other companies knew about the change. 

So, a combination of OSX 12.3 with Go 1.18 will trigger this, unless you have the ability to re-issue certificates with the requisite number of SCTs. I have no control over most AWS certificates - they are issued by AWS, for AWS. So now, I will have to ask AWS if they can do anything about it. But I can’t see them re-issuing certificates for all their myriad services, overnight.

Jim

PS: I quote the ticket you raised, in case it is useful to others:



On Mar 29, 2022 at 2:48:34 AM, Davanum Srinivas <dav...@gmail.com> wrote:
Jim,

Looks like we ended up seeing the same problem in a kubernetes test case as well:

-- Dims

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAGPPfg-PtW7dqeNKo72fvLsLZ1Qg2i_AwmUBJcTGMNgeHUhfCA%40mail.gmail.com.


--
Davanum Srinivas :: https://twitter.com/dims

Jordan Liggitt

unread,
Mar 28, 2022, 10:13:43 PMMar 28
to golang-nuts
Do you have a standalone reproducer of a certificate go1.17 considered valid that go1.18 does not? If so, can you file an issue at https://github.com/golang/go/issues for investigation?

Davanum Srinivas

unread,
Mar 28, 2022, 10:13:44 PMMar 28
to Jim Idle, golang-nuts
Thanks for the additional info Jim. thanks! in our case it's a unit test that we could control, but we just got worried about things in the wild like your case for sure when we ship a go1.18 based kubectl.

thanks,
Dims

Davanum Srinivas

unread,
Mar 28, 2022, 10:13:45 PMMar 28
to Jim Idle, golang-nuts
Jim,

Looks like we ended up seeing the same problem in a kubernetes test case as well:

-- Dims

On Thu, Mar 24, 2022 at 2:09 AM Jim Idle <ji...@idle.ws> wrote:
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAGPPfg-PtW7dqeNKo72fvLsLZ1Qg2i_AwmUBJcTGMNgeHUhfCA%40mail.gmail.com.

Jim Idle

unread,
Mar 28, 2022, 11:45:21 PMMar 28
to Jordan Liggitt, golang-nuts
The issue is here already: https://github.com/golang/go/issues/51991 - the causes seems to be already known. 


--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages