crypto/x509: Entrust broken cert link no longer valid, please consider removing the workaround #21488
Labels
Milestone
Comments
odeke-em
changed the title
|
/cc @agl and other crypto folks. |
|
This was added in https://golang.org/cl/6346064 . |
|
Here is the broken cert for this intermediate CA (which has a few weird reincarnations). According to Censys there are 316 IPv4 hosts still using it and 5 websites in the Alexa Top 1M. We can kill it I guess, but I see no rush. BTW, this is not a security issue, so I think there is no need for release-blocker? |
|
I added the release-blocker label because I think we should make a decision one way or another for the 1.10 release. |
|
There's no pressing need to remove this check except that it's always nice to have less code. Given that it's likely to cause some small issues if removed, I think it still carries its weight. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What version of Go are you using (
go version)?go version go1.8.3 darwin/amd64
What operating system and processor architecture are you using (
go env)?GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH=""
GORACE=""
GOROOT="/usr/local/Cellar/go/1.8.3/libexec"
GOTOOLDIR="/usr/local/Cellar/go/1.8.3/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/zv/jpk_y5hd6xj029pmkgm0j1ym0000gn/T/go-build313170607=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"
PKG_CONFIG="pkg-config"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
What did you expect to see?
At https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L756, go has special dispensation for checking the validity of an "Entrust" certificate due to that vendors mistake in issuing a non-CA certificate as root. The link given (http://www.entrust.net/knowledge-base/technote.cfm?tn=7869) is no longer a valid link, and my search of that vendors website no longer seems to yield information about the issue (it appears to have been removed).
The original discussion of the issue (https://groups.google.com/forum/#!topic/golang-dev/_9Pz-0BEmCc) estimated that it may need to remain in the codebase to 2020. However, given that the vendor no longer provides the original "technote", which I would see as a withdrawal of their support for anyone encountering the issue, perhaps golang should consider removing the special dispensation from the x509 cert validity code before this 2020 date.
The text was updated successfully, but these errors were encountered: