New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: func (c *Conn) Handshake() returns an error on Windows 7 #30985
Comments
/cc @FiloSottile |
@sleevi Does Windows 7 have known issues with IP SANs? We use the system certificate verifier on Windows, so we might not be able to do much about this. |
@FiloSottile Indeed Windows does! The CA/B Forum even published a lovely paper about how to "do iPAddress SANs right", based in part on my rantings and unwillingness to compromise on violating 5280 ;) |
Since it requires the server (in this case, Cloudflare) to change how they use they construct the certificate, unfortunately, this incompatibility with the Windows verifier can only be resolved by them changing how they construct certificates. In case you reach someone at Cloudflare who can make the change, a 'compatible' certificate would thus be:
They would create an equivalent certificate for each IP address they're serving. For IPv6, Windows will do a direct string mapping to the CN, so that means it will be somewhat client-dependent as to how they entered the host in the above example. In general, using the compressed form (as that most reflects how users will enter in the address to connect) is likely the best approach. |
This is unfortunate, but not worth overriding the system verifier for I'm afraid. (For example we would still end up not trusting IP address certificates signed by custom roots.) |
What version of Go are you using (
go version
)?1.12
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?Windows 7 x64
What did you do?
Hi!
func (c *Conn) Handshake()
in package crypto/tls/ works perfectly on every OS except for Windows 7/Windows 2012 R2/etc. The following example demonstrates the problem:https://github.com/admitrevskiy/tls_example
Please note that the ServerName inside
tls.Config
is1.1.1.1
.What did you expect to see?
No error
What did you see instead?
The text was updated successfully, but these errors were encountered: