Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: Entrust broken cert link no longer valid, please consider removing the workaround #21488

Closed
mrmagooey opened this issue Aug 17, 2017 · 5 comments

Comments

@mrmagooey
Copy link

@mrmagooey mrmagooey commented Aug 17, 2017

What version of Go are you using (go version)?

go version go1.8.3 darwin/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH=""
GORACE=""
GOROOT="/usr/local/Cellar/go/1.8.3/libexec"
GOTOOLDIR="/usr/local/Cellar/go/1.8.3/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/zv/jpk_y5hd6xj029pmkgm0j1ym0000gn/T/go-build313170607=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"
PKG_CONFIG="pkg-config"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"

What did you expect to see?

At https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L756, go has special dispensation for checking the validity of an "Entrust" certificate due to that vendors mistake in issuing a non-CA certificate as root. The link given (http://www.entrust.net/knowledge-base/technote.cfm?tn=7869) is no longer a valid link, and my search of that vendors website no longer seems to yield information about the issue (it appears to have been removed).

The original discussion of the issue (https://groups.google.com/forum/#!topic/golang-dev/_9Pz-0BEmCc) estimated that it may need to remain in the codebase to 2020. However, given that the vendor no longer provides the original "technote", which I would see as a withdrawal of their support for anyone encountering the issue, perhaps golang should consider removing the special dispensation from the x509 cert validity code before this 2020 date.

@odeke-em odeke-em changed the title Entrust broken cert link no longer valid, consider removing the workaround crypto/x509: Entrust broken cert link no longer valid, please consider removing the workaround Aug 17, 2017
@odeke-em
Copy link
Member

@odeke-em odeke-em commented Aug 17, 2017

/cc @agl and other crypto folks.

@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Aug 17, 2017

This was added in https://golang.org/cl/6346064 .

@ianlancetaylor ianlancetaylor added this to the Go1.10 milestone Aug 17, 2017
@FiloSottile
Copy link
Member

@FiloSottile FiloSottile commented Aug 17, 2017

Here is the broken cert for this intermediate CA (which has a few weird reincarnations).

According to Censys there are 316 IPv4 hosts still using it and 5 websites in the Alexa Top 1M.

We can kill it I guess, but I see no rush.

BTW, this is not a security issue, so I think there is no need for release-blocker?

@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Aug 17, 2017

I added the release-blocker label because I think we should make a decision one way or another for the 1.10 release.

@agl
Copy link
Contributor

@agl agl commented Aug 17, 2017

There's no pressing need to remove this check except that it's always nice to have less code. Given that it's likely to cause some small issues if removed, I think it still carries its weight.

@agl agl closed this Aug 17, 2017
@golang golang locked and limited conversation to collaborators Aug 17, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants
You can’t perform that action at this time.