New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: rejects CA cert from certtool #6837
Comments
Hello! Please check this certificates. Thank you! Attachments:
|
This cert does indeed have a negative RSA modulus: $ openssl asn1parse -i -dump -in gnutls.crt -strparse 174 0:d=0 hl=4 l= 265 cons: SEQUENCE 4:d=1 hl=4 l= 256 prim: INTEGER :-17FE30E907088DB4680D2F9C165D24604F1E8E7BB7EAB6AE31F1D6E71E32BD1C56CAAB4AA9DA4EBC376D80EC251DDF428E541264DEBE346DCB500D98E839F0A196EDB76151734E44BC681442B0AF0F85A924EB6FC54FD697BB7588AB841F68361E44EF191D633BCBF86CDA0BC78DAE7C309B5954B8087B074789E761EE7B10A11D9697AB43164004CE67C841BDD5D09A594D23587096D8713A45FEBEF4EBB099576C931D075AEADAE7B8C8B490C0703BEFE6840C4C4AE333C2797EAA9F05ED69685513C701B673E5D671F17F89E40F2B462171D779EA55EA76AF988333639A5BA7A75104003CAAE71F699D1303ABDC60C6C9939DD2C427B3CAFFA327FC5FD675 264:d=1 hl=2 l= 3 prim: INTEGER :010001 $ The GnuTLS ASN.1 encoder should have padded it with a leading NUL byte. It looks like CentOS 6 uses a modified version of GnuTLS 2.8.5¹ which is unfortunate since this bug was fixed four years ago² (and included in the 2.8.6 release). Cheers, Anthony 1. http://vault.centos.org/6.5/os/Source/SPackages/gnutls-2.8.5-10.el6_4.2.src.rpm 2. https://gitorious.org/gnutls/gnutls/commit/3d8da5765133c6ced37bf29b5a07f950b8c26cd7 |
I hit the same error trying to do docker pull and isolated root cause back to a known issue with Palo Alto Networks (PAN) SSL intercepting firewall. Here's what we got from PAN support...
Don't know if PAN is using gnutls certtool, but figured I would share for anybody going web proxy thru a corporate firewall, etc... |
@swapdisk This issue was closed long ago. If you are having trouble with the current code please open a new issue or ask on golang-nuts. Thanks. |
@ianlancetaylor Understood, was just sharing some knowledge regarding other issues that can trigger the same golang error. I also see that Red Hat has just now released updated RHEL6 gnutls-utils package that includes the certtool bug fix at https://rhn.redhat.com/errata/RHSA-2015-1457.html :-) |
by pavel.odintsov:
The text was updated successfully, but these errors were encountered: