You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Someone tried to validate a cert using SHA-512 without crypto/sha512 linked in. The
error was "x509: certificate signed by unknown authority."
---------- Forwarded message ----------
From: Mike Lewis <mikelikespie@gmail.com>
Date: Wed, Mar 13, 2013 at 2:44 PM
Subject: [go-nuts] Non-Obvious Failure with x509 and custom root CAs
To: golang-nuts@googlegroups.com
Hi,
Long story short:
I was trying do http Get against a url with a custom root CA (that was on my keychain).
Received "x509: certificate signed by unknown authority."
Ended up going x509 code and ended up landing in x509.go where hashType.Available() was
returning false.
Our CA was using SHA512. The workaround for me was to 'import _
"crypto/sha512"' in my code. However, this was anything but intuitive. I
basically had to add a bunch of print statements throughout go's source code to figure
out where it was failing.
Is this documented anywhere? Or is this a bug? Basically the http library will fail on
any root certs that use algos that aren't imported by a transitive dependency and will
give a very obscure error.
Thanks,
Mike
The text was updated successfully, but these errors were encountered:
I was just bitten by this - although I wasn't using the net/http package. It seems that
the crypto/tls package already imports sha1. When using certs generated with sha256 I
got this error. It wasn't until I found this issue that I figured out what the problem
was.
Here is sample code: http://play.golang.org/p/RqN-3GYSW2
Note how you get "x509: certificate signed by unknown authority."
If you simply add _ "crypto/sha256" to the import it works.
Now this will probably not be fixed. How would you fix this? Something that would have
saved me hours of time is if this was mentioned in the crypto/tls documentation (perhaps
even crypto/x509) - at the top.
Please add a note to the documentation. Thanks!
The text was updated successfully, but these errors were encountered: