Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/tls: after switching to TLSv1.3+ Connect no longer returns errors #42656

Closed
fasaxc opened this issue Nov 17, 2020 · 2 comments
Closed

crypto/tls: after switching to TLSv1.3+ Connect no longer returns errors #42656

fasaxc opened this issue Nov 17, 2020 · 2 comments
Labels
FrozenDueToAge

Comments

@fasaxc
Copy link

fasaxc commented Nov 17, 2020
edited

What version of Go are you using (go version)?

$ go version
go version go1.15.3 linux/amd64

Does this issue reproduce with the latest release?

Yes, I think so

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/shaun/.cache/go-build"
GOENV="/home/shaun/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/shaun/go-os/pkg/mod"
GONOPROXY="github.com/tigera/*"
GONOSUMDB="github.com/tigera/*"
GOOS="linux"
GOPATH="/home/shaun/go-os"
GOPRIVATE="github.com/tigera/*"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/shaun/go-os/src/github.com/projectcalico/typha/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build310145214=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Create a TLS connection with a mismatched certificate (this is in a unit test, which was testing the "bad path").

What did you expect to see?

With <=TLSv12, I get an error from DialWithDialer(). This feels like the natural time to return connection set-up errors and it makes it more obvious to the caller that the issue is with the parameters of the connection.

(We had this pinned because tests started failing when we updated to go v1.13 so we made a quick fix; I'm just coming back to that to investigate...)

What did you see instead?

With <=TLSv13, I get no error from DialWithDialer(), but later reads fail with

remote error: tls: bad certificate type=""

for example. So, looks like there's no compromise in security but the error appears as a problem with the established connection rather than a problem with establishing the connection in the first place.
@FiloSottile
Copy link
Contributor

This is unfortunate but expected behavior, which is due to how TLS 1.3 works at the protocol level, and can't be fixed by the implementation. In TLS 1.3, the client sends the client certificates just before declaring the handshake over, and doesn't get to hear from the server again before sending application data. Waiting to hear back would introduce a whole round-trip, with a significant performance cost.

We've only seen this affect tests, since as you observed the error will be detected on the first Read invocation.

@FiloSottile FiloSottile changed the title After switching to TLSv1.3+ Connect no longer returns errors crypto/tls: after switching to TLSv1.3+ Connect no longer returns errors Nov 17, 2020
@fasaxc
Copy link
Author

fasaxc commented Nov 17, 2020

OK, makes sense if it's necessary to avoid another round trip

@golang golang locked and limited conversation to collaborators Nov 17, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fasaxc @FiloSottile @gopherbot