Skip to content

crypto/x509: negative serial number disallowed by default #71606

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mstrandboge opened this issue Feb 7, 2025 · 4 comments
Closed

crypto/x509: negative serial number disallowed by default #71606

mstrandboge opened this issue Feb 7, 2025 · 4 comments
Labels
LibraryProposal Issues describing a requested change to the Go standard library or x/ libraries, but not to a tool

Comments

@mstrandboge
Copy link

mstrandboge commented Feb 7, 2025
edited
Loading

Go version

go version go1.23.0 darwin/arm64

Output of go env in your module/workspace:

GO111MODULE='on'
GOARCH='arm64'
GOBIN=''
GOCACHE='/Users/influx/Library/Caches/go-build'
GOENV='/Users/influx/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/influx/.gvm/pkgsets/go1.23/global/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/influx/.gvm/pkgsets/go1.23/global'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/Users/influx/.gvm/pkgsets/go1.22/global/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.0.darwin-arm64'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/Users/influx/.gvm/pkgsets/go1.22/global/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.0.darwin-arm64/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.23.0'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/influx/Library/Application Support/go/telemetry'
GCCGO='gccgo'
GOARM64='v8.0'
AR='ar'
CC='clang'
CXX='clang++'
CGO_ENABLED='1'
GOMOD='/Users/influx/Documents/GitHub/telegraf/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/g6/d6l6tpq15kjg4j12mp_bz80m0000gn/T/go-build74057246=/tmp/go-build -gno-record-gcc-switches -fno-common'

What did you do?

After updating https://github.com/influxdata/telegraf to Go 1.23, we received issues related to a change in the crypto/x509 library related to negative serial numbers, such as influxdata/telegraf#16309. After investigating we learned that a change occurred in the library which made negative serial numbers no longer accepted by default.

What did you see happen?

This caused failures for some of our users. We found the go debug x509negativeserial option, which we have enabled in telegraf for now as a workaround. However due to the nature of go debug options, we are not confident in this being a long-term solution.

What did you expect to see?

In RFC 5280, it states:

Note: Non-conforming CAs may issue certificates with serial numbers
that are negative or zero. Certificate users SHOULD be prepared to
gracefully handle such certificates.

Go should provide graceful handling of this situation without the need for a godebug option. One option would be to revert the behavior. Another option could be to flip the godebug option, allowing negative serial by default and treating it like a feature flag. Another option would be to keep this new behavior but add a new more permanent option than godebug to opt-in to legacy behavior
@mstrandboge mstrandboge mentioned this issue Feb 7, 2025
Closed
@gabyhelp
Copy link

gabyhelp commented Feb 7, 2025

Related Issues

Related Code Changes

Related Discussions

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@gabyhelp gabyhelp added the LibraryProposal Issues describing a requested change to the Go standard library or x/ libraries, but not to a tool label Feb 7, 2025
@seankhliao
Copy link
Member

Given Go's focus on Web PKI, the godebug will be the only option.

@seankhliao seankhliao closed this as not planned Won't fix, can't repro, duplicate, stale Feb 7, 2025
@srebhan
Copy link

srebhan commented Feb 10, 2025

@seankhliao so what you want to say is that excluding everyone facing this issue, which seems to be common for MS issued certificates, and ignoring the recommendation from the RFC is okay for Golang? I was of the impression that Go is a general language and not only for web-development!?!? This breakage was introduced in v1.23, how long will the godebug workaround last?

@mdelapenya mdelapenya mentioned this issue Apr 2, 2025
Merged
@jmbecker jmbecker mentioned this issue Apr 21, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
LibraryProposal Issues describing a requested change to the Go standard library or x/ libraries, but not to a tool
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@seankhliao @srebhan @mstrandboge @gabyhelp and others