Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: untrusted intermediates are not used on macOS #35631

Closed
mariusgrigoriu opened this issue Nov 16, 2019 · 14 comments
Closed

crypto/x509: untrusted intermediates are not used on macOS #35631

mariusgrigoriu opened this issue Nov 16, 2019 · 14 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. OS-Darwin
Milestone
Unplanned

Comments

@mariusgrigoriu
Copy link

What version of Go are you using (go version)?

$ go version
go version go1.13.4 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/xhp9/Library/Caches/go-build"
GOENV="/Users/xhp9/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/xhp9"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/Cellar/go/1.13.4/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.13.4/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/xhp9/src/github.com/nordstrom/kubelogin/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/qy/p4t6xtws5yv8llv3wg15ck9rztrl8v/T/go-build395049258=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Open http connection to a remote server using internal certificate. Web browsers have no issue accepting the certificate.

A workaround is to set the issuing CA to Always Trust in the keychain. Using system defaults does not work.

Basically this seems to be the same issue as #30471 or #30672 except I get a failure even with CGO_ENABLED=0.

What did you expect to see?

No error.

What did you see instead?

x509: certificate signed by unknown authority
@mariusgrigoriu
Copy link
Author

@FiloSottile I think we're still having issues with certificate trust settings on mac os.

@FiloSottile
Copy link
Contributor

Thanks for the report, can you give us the output of GODEBUG=x509roots=1 go test -v -run TestSystemRoots crypto/x509?

@mariusgrigoriu
Copy link
Author

The test passes in both cases. However, when the certificate is set to "Use System Defaults" it does not even appear in the debug output. It does appear when set to "Always Trust."

@andybons andybons added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Nov 18, 2019
@andybons andybons added this to the Unplanned milestone Nov 18, 2019
@emberquill
Copy link

I'm experiencing the same issue on macOS Mojave, running go 1.13.4.

The certificate chain in our environment has two intermediate CAs between the Root CA and the site certificate. If the site certificate's issuing CA isn't marked as Always Trusted, then trust isn't inherited, even though the Root CA is always trusted.

I was going to post the code snippet that was failing, but even just http.Get("https://www.google.com") fails with the same error.

@FiloSottile
Copy link
Contributor

FiloSottile commented Dec 26, 2019
edited

@emberquill is the intermediate served by the TLS server, or is it relying on finding it in the keychain? Because that's something we don't do (and would be very hard to do with our API): take untrusted certificates from the keychain and pour them into the intermediates pool.

As a workaround you can make sure the server provides a full chain to the root.

@FiloSottile FiloSottile changed the title crypto/x509: Trust setting not inherited on darwin crypto/x509: untrusted intermediates are not used on macOS Dec 26, 2019
@emberquill
Copy link

It's an issue with my employer's local network rather than the site I'm trying to access. Our network proxy performs TLS inspection, so traffic ends up signed by an internal CA, and the root and intermediaries are all in the Keychain. The Root CA is always trusted, but the two intermediate CAs are set to "Use System Defaults" in the Keychain and thus trigger this error in Go.

Changing the intermediate CAs to Always Trusted is a sufficient workaround for me.

@FiloSottile
Copy link
Contributor

Can you confirm that the proxy doesn't send the intermediate in the TLS handshake?

@mariusgrigoriu
Copy link
Author

I thought I saw an overhaul to how Go interacts with the keychain, but lost the link. Would that change solve this issue?

@rolandshoemaker
Copy link
Member

CL 227037 changed how the macOS API is called, but didn't change how intermediates in the keychain are treated, they are still ignored.

@FiloSottile FiloSottile mentioned this issue Jul 24, 2020
Closed
@andig

This comment has been minimized.

Sign in to view
@FiloSottile

This comment has been minimized.

Sign in to view
@andig

This comment has been minimized.

Sign in to view
@FiloSottile

This comment has been minimized.

Sign in to view
@FiloSottile FiloSottile mentioned this issue May 11, 2021
Closed
@FiloSottile FiloSottile mentioned this issue May 20, 2021
Closed
@gopherbot
Copy link

Change https://golang.org/cl/353132 mentions this issue: crypto/x509: use platform verifier on darwin

@golang golang locked and limited conversation to collaborators Nov 5, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. OS-Darwin
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
7 participants
@andig @andybons @mariusgrigoriu @emberquill @FiloSottile @rolandshoemaker @gopherbot