crypto/x509: path lookup order change affects CentOS from Go 1.7->8 #18813
Comments
joegrasse
changed the title
|
Doing more research looks like go/src/crypto/x509/root_linux.go Line 10 in ce64553 Our server is CentOS 6.8. |
|
If this were found during the Go 1.8 beta testing period, or even an earlier rc, it would've been easier to fix. It might be too late now. :-/ As a workaround, can you just add your certs to the first location? Do other popular TLS clients read & merge all files? /cc @agl |
bradfitz
changed the title
bradfitz
added
the
NeedsDecision
|
@bradfitz By default the openssl command was working correctly. It was able to verify the certificate. |
|
But because it's looking at one location or merging multiple? |
|
Here is a snippet from "The process of ’looking up the issuers certificate’ itself involves a number of steps. In versions of OpenSSL before 0.9.5a the first certificate whose subject name matched the issuer of the current certificate was assumed to be the issuers certificate. In OpenSSL 0.9.6 and later all certificates whose subject name matches the issuer name of the current certificate are subject to further tests." Which to me sounds like it keeps looking. |
|
I think that section of the man page is suggesting that it'll check multiple certificates from a file, as opposed to merging several files. Generally OpenSSL is configured with Why do we think that the system OpenSSL isn't just looking at |
I not saying it doesn't, but with the change in go1.8, go isn't looking there by default. I am still trying to research this, but it looks like in CentOS 6 (not sure what dot revision it was introduced) there is a legacy way and a new way to handle certs. |
|
@bradfitz I am leaning toward this being a breaking change for CentOS 6, because I believe by default CentOS 6 uses the legacy method, which is /etc/pki/tls/certs/ca-bundle.crt. I am by no means an expert in this though. |
|
To clarify: does CentOS include both |
|
If we got this bug report two months a fix would've been much easier. Between go1.8beta1, go1.8beta2, go1.8rc1, go1.8rc2, and go1.8rc3 we make fewer and smaller and safer changes. We're basically not making changes at this point of the release cycle. We can't risk causing regressions for other crypto/x509 users. The fact that we only got one bug report about this (and so late) suggests this isn't an issue that will impact many people at least. Unless there's a great diagnosis of what's happening and a super minimal and obviously-correct fix, you'll probably have to just modify both *.crt files, use a locally-patched Go, stay on Go 1.7, or wait for Go 1.9. Sorry. |
|
@bradfitz I have already worked around the issue, I am more just worried about the CentOS 6 user that this might break. What population of them have tested go1.8? |
@agl I believe Yes and Yes. I don't have a "stock" CentOS 6 box though. |
|
It sounds like we could just flip the order of the two entries then, but I'd love to get some clarification from RedHat about their policy here. I'll see if I can reach someone who'll claim to know. |
bradfitz
changed the title
|
(I've emailed @nmav to see if we can get word about what the "correct" answer is here.) |
|
In RHEL7 the file to use for openssl apps is In RHEL6 the primary file is Based on the above I think using ca-bundle.crt seems like a safe choice. |
|
@agl As a side note, I have noticed the following. CentOS 7 CentOS 6 Not sure if it would make sense to just point at |
|
@bradfitz @agl It looks like ce64553 is the commit that caused this problem. It also looks like it was a fix for #15749. On CentOS 7 though, |
|
CL https://golang.org/cl/36093 mentions this issue. |
|
I agree that CL 36093 is too much for Go 1.8. Can we just move the new RHEL7 line down to the bottom of the preference list for Go 1.8? ping @agl |
|
Sent CL 36429 to reorder the list. I checked, and the line was added for #17549, which was "can't find any certs"; that is, on the system we were trying to fix, none of the listed files existed. On this CentOS 6 system, the existing files were better than the new file, but putting the new file earlier in the list broke things. Moving the new file to the end of the list should keep #17549 fixed and still fix this issue. |
|
CL https://golang.org/cl/36429 mentions this issue. |
|
It's still unclear why |
|
https://go-review.googlesource.com/36530 for cherry-pick to Go 1.8. |
|
CL https://golang.org/cl/36530 mentions this issue. |
We added CentOS 7's /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem to the list in response to #17549 - not being able to find any certs otherwise. Now we have #18813, where CentOS 6 apparently has both that file and /etc/pki/tls/certs/ca-bundle.crt, and the latter is complete while the former is not. Moving the new CentOS 7 file to the bottom of the list should fix both problems: the CentOS 7 system that didn't have any of the other files in the list will still find the new one, and existing systems will still keep using what they were using instead of preferring the new path that may or may not be complete on some systems. Fixes #18813. Change-Id: I5275ab67424b95e7210e14938d3e986c8caee0ba Reviewed-on: https://go-review.googlesource.com/36429 Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Adam Langley <agl@golang.org> Reviewed-on: https://go-review.googlesource.com/36530 TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
|
Closing. CL 36093 mentions this issue but is really about a broader thing. This specific issue should now be fixed entirely. |
Add the ability to override the default file and directory from which certificates are loaded by setting the OpenSSL compatible environment variables: SSL_CERT_FILE, SSL_CERT_DIR. If the variables are set the default locations are not checked. Added new default file "/usr/local/etc/ssl/cert.pem" for FreeBSD. Certificates in the first valid location found for both file and directory are added, instead of only the first file location if a valid one was found, which is consistent with OpenSSL. Fixes #3905 Fixes #14022 Fixes #14311 Fixes #16920 Fixes #18813 - If user sets SSL_CERT_FILE. Change-Id: Ia24fb7c1c2ffff4338b4cf214bd040326ce27bb0 Reviewed-on: https://go-review.googlesource.com/36093 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
What version of Go are you using (
go version)?go version go1.8rc3 linux/386What operating system and processor architecture are you using (
go env)?What did you do?
go get -d -u <package location>What did you expect to see?
Successful completion of
go getWhat did you see instead?
package <package location>: unrecognized import path "<package location>" (https fetch: Get https://<package_url>?go-get=1: x509: certificate signed by unknown authority)Using
go version go1.7.4 linux/386, this worked successfully. We are using our own CA, and the package_url is our own internal server.The text was updated successfully, but these errors were encountered: