/cc @FiloSottile

(I agree this should be fixed for the release since it is a mysterious new failure caused by enabling 1.3.)

(*serverHandshakeStateTLS13).sendServerCertificate returns tls: failed to sign handshake: crypto/rsa: key size too small for PSS signature (since c009433 which was added specifically for this case) to (*serverHandshakeStateTLS13).handshake to (*Conn).serverHandshake() to (*Conn).Handshake() to the application.

It sounds like the error you might have been seeing is the error surfaced on the client side, remote error: tls: internal error. If that's the case, there is nothing we can do, as TLS alerts are not free-form, but specified and numbered

and I believe "internal error" is the correct alert to send to the client, as being configured with the wrong key is an internal error of the server from the client point of view. This is why (*Conn).sendAlert takes the custom type instead of error.

By the way, this error is due to the new support of RSA-PSS keys in both TLS 1.2 and 1.3.

If the server has a bad configuration, why could it even start serving instead of bailing out earlier?

I would think "handshake failure" is a much better error in this case. The error you're returning even has the word "handshake".

If the server has a bad configuration, why could it even start serving instead of bailing out earlier?

Sadly, tls.Client and tls.Server don't let us surface errors earlier consistently. There are many things I'd like to check before a connection comes in, like #29349, but I could only cheat and do it in tls.Listen and tls.Dial, which are optional helpers.

I would think "handshake failure" is a much better error in this case. The error you're returning even has the word "handshake".

Sure, "handshake failure" is specified to be about a failure to negotiate parameters, but it's not like this case is in the spec anyway, and I don't have a strong opinion. I'll send a CL tomorrow morning.

@FiloSottile,

Not for Go 1.12: it might be better to have a new error type for alert protocol, the same as RecordHeaderError for record layer protocol, to avoid losing protocol-layer information and to be useful for both API users and infrastructure people. IIRC, there are a few neglected issues/CLs like "io.EOF on TLS connection setup does not provide any useful information for troubleshooting."

@dsymonds, two questions.

1. The bad certificate in the server config: was it in the tls.Config.Certificates list or was it returned by tls.Config.GetCertificate?
2. Were you using tls.Listen?

If tls.Config.Certificates contains any invalid certificates, it seems reasonable to me for tls.Listen to return an error, as it currently does for completely missing certificates. If the bad cert came from tls.Config.GetCertificates, that's more difficult to report well since the server is humming along at that point - there's no obvious way to report the misconfiguration (Filippo's point as I understand it).

If the answers to the questions are "tls.Config.Certificates" and "yes", then I think we should adjust Listen to check for this new failure mode in code. It seems likely to trip others too. (And no matter what else we do, also add it to the release notes.)

Thanks.

On the server side it is a certificate stuffed in the Certificates field of tls.Config (loaded from a file, sent through tls.X509KeyPair and x509.ParseCertificate).

The actual networking is via net.Listen, then going via grpc-go with grpc.Server and its Serve method, providing the certs with grpc.Creds. So it is possible there's a grpc-go defect instead.

I tried a couple approaches at tls.Listen validation, and I don't think we should do it. The obvious advantage is that an error is raised before the connection is opened, so there is no opaque client-side error. The issues are multiple:

• it's inconsistent, as it would only work with the rarely used tls.Listen, not with tls.NewListener nor tls.Server nor net/http (and for example wouldn't work for @dsymonds)
• it's incomplete, as it would have to be disabled if either GetCertificate or GetConfigForClient is set (and I don't like diverging the behavior of GetConfigForClient)
• it depends on client behavior, as a client that does not support RSA-PSS can still connect successfully (using TLS 1.2) so we can't make a universal decision at tls.Listen time
• it's extremely late in the cycle for making things that used to work not work (that is, servers with small keys serving old TLS 1.2 clients)

I will change the alert number for 1.12, and add a note to the release notes.

For 1.13 I will make also a small change to the negotiation logic, because as things are right now a (weird, non-Go) client that prefers PSSWithSHA512 (minimum key size 1040 bits) but supports PSSWithSHA256 (minimum key size 528 bits) would fail to connect to a server with a 1024 bit key (still insecure), which is suboptimal. This is #29793.

Change https://golang.org/cl/158639 mentions this issue: crypto/tls: send a "handshake failure" alert if the RSA key is too small

Change https://golang.org/cl/158638 mentions this issue: doc/go1.12: mention small RSA keys will cause some TLS handshakes to fail

Change https://golang.org/cl/160998 mentions this issue: crypto/tls: disable RSA-PSS in TLS 1.2