New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: crypto/x509: Allow to pass flags to syscall.CertGetCertificateChain, when using TLS Transport under Windows #63238
Comments
CC @golang/security |
@ianlancetaylor Are more information required here? |
AFAIK, neither |
@qmuntal Sure, I will dump all information that I had: How I'm able to reproduce the Issue on
package main
import (
"crypto/tls"
"fmt"
"io"
"log"
"net/http"
"time"
)
func main() {
client := http.Client{
Transport: &http.Transport{
Proxy: http.ProxyFromEnvironment,
TLSHandshakeTimeout: 10 * time.Second,
TLSClientConfig: &tls.Config{
InsecureSkipVerify: false,
},
},
}
resp, err := client.Get("https://grafana.oracle.jkroepke.de")
if err != nil {
log.Fatalln(err)
}
defer resp.Body.Close()
htmlData, err := io.ReadAll(resp.Body)
if err != nil {
log.Fatalln(err)
return
}
fmt.Printf("%v\n", resp.Status)
fmt.Printf(string(htmlData))
} Output:
Dump of all goroutes while go is trying to etablish the TLS connection:
Port 443 is open and confirmed by curl: Details
After open Port 80, the following HTTP request can be captured via Wireshark
Note: After open Port 80 and execute the go code above, Windows is able to validate the revocation status and cache the infomation. |
Based on the goroutine dump, I think I'm looking for a way to define flags ( https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetcertificatechain Code: go/src/crypto/x509/root_windows.go Line 250 in 8da6405
|
Before writing the proposal here, I ask the community. However we found no solution for this issue.
Ref: https://stackoverflow.com/questions/77098977/disable-certificate-revocation-check-for-specific-https-connections-on-windows
I'm working on a internet restricted environment. Since our internal services we are using Let's Encrypt certificates to avoid the overhead with an internal PKI.
I'm writing a go program which collects informations from all systems and sent the data to a central system. While this works fine for Linux systems, have I have trouble on Windows system.
It seems like that go is using the os native libraries to establish a secured connection for HTTPS requests.
With using the program below
I got this
It seems like the native libraries tries to contact the CRLs (which are not allowed) and the connection fails here. I inspect the traffic with Wireshark and see HTTP connection to r3.c.lencr.org with User-Agent CryptoAPI.
I also can verify such behavior, if I'm using curl
However curl has the option
--ssl-no-revoke
to skip the specific revoke check. Running curl with the option works fine.Looking at the source code of CURL
https://github.com/curl/curl/blob/8e74c0729d0cace00a202fc6c33c1b35703e220a/lib/vtls/schannel.c#L474-L492
they are passing flags like
Source: https://learn.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred
I would like have an option the set the flag on go, too.
Also RUST has the support to define such os native flags https://github.com/rust-lang/cargo/blob/3ea3c3a27f49f4926ff32befe48f8b652cd755b2/src/cargo/sources/git/oxide.rs#L291
The text was updated successfully, but these errors were encountered: