TLS handshake time using Go app (openbao)
41 views
Skip to first unread message
pkcs11newbie
Oct 17, 2025, 8:12:47 PM (2 days ago) Oct 17
to golang-nuts
Hello,
I'm newbie to Golang and need help with the below issue:
We are using third party product ( OpenBao a GO app ) and we are encountering TLS handshake timeout when executing OpenBoa CLI against TLS based OpenBao server.
OpenBao by default loads system CAs ( unless told to skip loading system CAs ) :
// loadSystemCAs loads the system's CA certificates into a pool.
func loadSystemCAs() (*x509.CertPool, error) {
pool, err := x509.SystemCertPool()
if err != nil {
return nil, fmt.Errorf("Error loading system CA certificates: %w", err)
}
return pool, nil
}
func loadSystemCAs() (*x509.CertPool, error) {
pool, err := x509.SystemCertPool()
if err != nil {
return nil, fmt.Errorf("Error loading system CA certificates: %w", err)
}
return pool, nil
}
There's a TLS handshake timeout of 10sec in OpenBao.
On some of the Windows machines, we get into this TLS handshake timeout ( these machines don't have access to internet ) :
bao cli did not send out changecipherspec and after 10secs client drops out.
On some other Windows machines( they have access to internet), boa cli had no problem sending out Change Cipher Spec and within 10secs TLS handshake was done.
As a POC, I modified Openbao to not load system CAs, executed on the problematic Windows box and TLS handshake was successful.
The question is: why did Openbao loading of system CAs took so long to load on problematic Windows machine? Could access to internet be a factor ?
Additionally, on the same machine:
- OpenSSL/Curl was able to connect successfully to OpenBao server
Appreciate any guidance. If there are any debugging or printouts I can add please let me know.
Thanks.
Jason E. Aten
Oct 17, 2025, 9:49:41 PM (2 days ago) Oct 17
to golang-nuts
> why did Openbao loading of system CAs took so long to load on problematic Windows machine?
I would write a Go test that sets up a TLS client connects to the server
repeatedly to see if it is consistent or variable. Then add prints with
timestamps that show where and when you are executing stuff
(technique demonstrated here https://github.com/glycerine/vprint )
inside the BaoServer to see what is happening.
https://go.dev/blog/execution-traces-2024 tracing might also be helpful.
Wireshark is what I think of here. https://www.wireshark.org/ lets you record and inspect
all network traffic. If you have to, to read encrypted traffic in Wireshark, you can dump the
session secret using https://pkg.go.dev/crypto/tls#example-Config-KeyLogWriter
by hacking/seetting KeyLogWriter and then tell Wireshark about it and it will give you
plaintext back when you are searching through packets.
Roland Shoemaker
Oct 17, 2025, 9:58:07 PM (2 days ago) Oct 17
to golang-nuts
Windows dynamically loads the root store. A fresh install ships with a minimal root pool that is necessary for fetching further roots. We use Windows APIs for verifying received certificates, and it's possible that while trying to verify a certificate, Windows is trying to fetch the relevant root from the Microsoft servers. If it cannot reach the internet, this call may block and cause the timeout.
Reply all
Reply to author
Forward
0 new messages