-
Notifications
You must be signed in to change notification settings - Fork 17.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: error with client certificate and X448 and X25519 curves #33577
Comments
Some packets captured with wireshark (of the broken request): |
This comment has been minimized.
This comment has been minimized.
The underlying issue seems that it rejects |
AFAIK, you need to allow the curve in use by the certificate in order to be able to verify it. That's P384 or P256. For what it's worth, your server also does not work for me with curl and a Syncthing-generated certificate:
|
Verification should be fine, it should only block it from being used to negotiate a shared key I have no problem using curl:
Version:
|
Okay, I’ve clearly misunderstood something on that point. Regardless, why don’t you allow the more common curves, is this really the out of the box config in your Ubuntu? |
No there is apparently (still) a bug in apache that makes the ssl configuration for vhosts on the same port be kind of shared and all my other vhosts are restricted to those 2 curves |
Right. So I'll leave this issue for the Go team to decide, but from my point of view after troubleshooting this with your for literally hours -- where you claim a default config, "no special config", and a bug in our code or Go -- only to discover you've disabled a major swath of the relevant cipher stuff in a very unusual way and declined to mention it... I find that disrespectful and a huge waste of time. Over and out. |
I didn't know about this bug in apache either and as curl worked fine, I wasn't thinking that the config some how applied to that vhost and it still seems like there is a bug, just a different one than what I thought (2 bug coming together and one disguising the other) |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes (
1.12.7
)What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
As far as I've been able to reproduce it it only happens with an ecc client certificate and a rsa server certificate.
https://gist.github.com/cromefire/590eb9743dbadeca89c213b0aa1a2d58 (play.golang.org doesn't work with tcp it seems)
The same thing using
curl
works:The backend server (
Apache/2.4.39 (Ubuntu)
, withOpenSSL 1.1.1c
) is using no special config:For debugging purposes the program creates
/tmp/keylog.txt
which can be imported into wiresharkWhat did you expect to see?
The expected result are no errors
What did you see instead?
The text was updated successfully, but these errors were encountered: