crypto/x509: respect GODEBUG changes during program lifetime #56436
Assignees
Labels
Milestone
Comments
rsc
added
the
NeedsFix
|
@gopherbot please backport |
This was referenced Oct 26, 2022
|
Backport issue(s) opened: #56437 (for 1.18), #56438 (for 1.19). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
|
Change https://go.dev/cl/445496 mentions this issue: |
|
Change https://go.dev/cl/445655 mentions this issue: |
|
Change https://go.dev/cl/445656 mentions this issue: |
romaindoumenc
pushed a commit
to TroutSoftware/go
that referenced
this issue
Nov 3, 2022
This allows programs that want SHA1 support to call os.Setenv at startup instead of insisting that users set the environment variable themselves. For golang#41682. Fixes golang#56436. Change-Id: Idcb96212a1d8c560e1dd8eaf7c80b6266f16431e Reviewed-on: https://go-review.googlesource.com/c/go/+/445496 Reviewed-by: David Chase <drchase@google.com> Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Russ Cox <rsc@golang.org>
gopherbot
pushed a commit
that referenced
this issue
Nov 8, 2022
…wing SHA1 certificates This allows programs that want SHA1 support to call os.Setenv at startup instead of insisting that users set the environment variable themselves. For #41682. Fixes #56436. Fixes #56437. Change-Id: Idcb96212a1d8c560e1dd8eaf7c80b6266f16431e Reviewed-on: https://go-review.googlesource.com/c/go/+/445496 Reviewed-by: David Chase <drchase@google.com> Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Russ Cox <rsc@golang.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/445656
gopherbot
pushed a commit
that referenced
this issue
Nov 8, 2022
…wing SHA1 certificates This allows programs that want SHA1 support to call os.Setenv at startup instead of insisting that users set the environment variable themselves. For #41682. Fixes #56436. Fixes #56438. Change-Id: Idcb96212a1d8c560e1dd8eaf7c80b6266f16431e Reviewed-on: https://go-review.googlesource.com/c/go/+/445496 Reviewed-by: David Chase <drchase@google.com> Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Russ Cox <rsc@golang.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/445655
|
Change https://go.dev/cl/449504 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Nov 14, 2022
We have been expanding our use of GODEBUG for compatibility, and the current implementation forces a tradeoff between freshness and efficiency. It parses the environment variable in full each time it is called, which is expensive. But if clients cache the result, they won't respond to run-time GODEBUG changes, as happened with x509sha1 (#56436). This CL changes the GODEBUG API to provide efficient, up-to-date results. Instead of a single Get function, New returns a *godebug.Setting that itself has a Get method. Clients can save the result of New, which is no more expensive than errors.New, in a global variable, and then call that variable's Get method to get the value. Get costs only two atomic loads in the case where the variable hasn't changed since the last call. Unfortunately, these changes do require importing sync from godebug, which will mean that sync itself will never be able to use a GODEBUG setting. That doesn't seem like such a hardship. If it was really necessary, the runtime could pass a setting to package sync itself at startup, with the caveat that that setting, like the ones used by runtime itself, would not respond to run-time GODEBUG changes. Change-Id: I99a3acfa24fb2a692610af26a5d14bbc62c966ac Reviewed-on: https://go-review.googlesource.com/c/go/+/449504 Run-TryBot: Russ Cox <rsc@golang.org> Auto-Submit: Russ Cox <rsc@golang.org> Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
4 tasks
andrew-d
pushed a commit
to tailscale/go
that referenced
this issue
Dec 7, 2022
…wing SHA1 certificates This allows programs that want SHA1 support to call os.Setenv at startup instead of insisting that users set the environment variable themselves. For golang#41682. Fixes golang#56436. Fixes golang#56438. Change-Id: Idcb96212a1d8c560e1dd8eaf7c80b6266f16431e Reviewed-on: https://go-review.googlesource.com/c/go/+/445496 Reviewed-by: David Chase <drchase@google.com> Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Russ Cox <rsc@golang.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/445655
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
For #41682 we allow GODEBUG=x509sha1=1 to reenable SHA1 certificate support.
But programs cannot use os.Setenv at startup, because the SHA1 behavior is loaded
into a global variable during func init in crypto/x509, apparently to make testing easier.
We should tweak the code to check GODEBUG as needed, and then we should backport the change.
Among other things, this will help Kubernetes update older releases to newer Go versions.
The text was updated successfully, but these errors were encountered: