Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: GOINSECURE environment variable does not bypass proxy certificate checks #53399

Closed
SaurabhHarwandeAtErm opened this issue Jun 15, 2022 · 4 comments
Closed

cmd/go: GOINSECURE environment variable does not bypass proxy certificate checks #53399

SaurabhHarwandeAtErm opened this issue Jun 15, 2022 · 4 comments
Labels
FrozenDueToAge GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. Security
Milestone
Backlog

Comments

@SaurabhHarwandeAtErm
Copy link

SaurabhHarwandeAtErm commented Jun 15, 2022
edited

What version of Go are you using (go version)?

$ go version
go version go1.18.3 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

Debian running on wsl

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/saurabh/.cache/go-build"
GOENV="/home/saurabh/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE="*.golang.org"
GOMODCACHE="/home/saurabh/go/pkg/mod"
GONOPROXY="*.golang.org"
GONOSUMDB="*.golang.org"
GOOS="linux"
GOPATH="/home/saurabh/go"
GOPRIVATE="*.golang.org"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.18.3"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/saurabh/DevEnv/GoLang/PlayGround/go.mod"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build805608581=/tmp/go-build -gno-record-gcc-switches"

What did you do?

tried to use go install command

> go install -v golang.org/x/tools/gopls@latest

values tried for go insecure:
.golang.org
proxy.golang.org/

What did you expect to see?

The install command should work successfully and bypass the insecure certificate checks

What did you see instead?

go install command fails due to insecure certificates

go: golang.org/x/tools/gopls@latest: module golang.org/x/tools/gopls: Get "https://proxy.golang.org/golang.org/x/tools/gopls/@v/list": x509: certificate signed by unknown authority
@ianlancetaylor ianlancetaylor changed the title GOINSECURE environment variable does not function cmd/go: GOINSECURE environment variable does not function Jun 15, 2022
@ianlancetaylor
Copy link
Contributor

CC @bcmills @matloob

@ianlancetaylor ianlancetaylor added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jun 15, 2022
@ianlancetaylor ianlancetaylor added this to the Backlog milestone Jun 15, 2022
@bcmills bcmills changed the title cmd/go: GOINSECURE environment variable does not function cmd/go: GOINSECURE environment variable does not bypass proxy security Jun 15, 2022
@bcmills bcmills changed the title cmd/go: GOINSECURE environment variable does not bypass proxy security cmd/go: GOINSECURE environment variable does not bypass proxy certificate checks Jun 15, 2022
@bcmills
Copy link
Contributor

bcmills commented Jun 15, 2022

The documentation for GOINSECURE explicitly says that it “[o]nly applies to dependencies that are being fetched directly.” Dependencies being fetched from a proxy are not being fetched directly, so this is working as designed and documented.

Note that you could, in theory, write your own proxy-proxy that fetches insecurely from another HTTPS proxy, although I really would not recommend that. 😅

@bcmills bcmills closed this as not planned Won't fix, can't repro, duplicate, stale Jun 15, 2022
@SaurabhHarwandeAtErm
Copy link
Author

@bcmills
Thanks for updating
Any thing straight forward that can resolve this?
While I am working on understanding why SSL is failing for my WSL instances I would like to just ignore SSL certificates temporarily when using go install.

@D1CED
Copy link

D1CED commented Jun 16, 2022

You can set GOPROXY=direct to avoid using a proxy server. https://go.dev/ref/mod#environment-variables

@golang golang locked and limited conversation to collaborators Jun 16, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. Security
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
5 participants
@ianlancetaylor @bcmills @gopherbot @D1CED @SaurabhHarwandeAtErm