Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: untrusted intermediates are not used on macOS #35631

Open
mariusgrigoriu opened this issue Nov 16, 2019 · 13 comments
Open

crypto/x509: untrusted intermediates are not used on macOS #35631

mariusgrigoriu opened this issue Nov 16, 2019 · 13 comments

Comments

@mariusgrigoriu
Copy link

@mariusgrigoriu mariusgrigoriu commented Nov 16, 2019

What version of Go are you using (go version)?

$ go version
go version go1.13.4 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/xhp9/Library/Caches/go-build"
GOENV="/Users/xhp9/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/xhp9"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/Cellar/go/1.13.4/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.13.4/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/xhp9/src/github.com/nordstrom/kubelogin/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/qy/p4t6xtws5yv8llv3wg15ck9rztrl8v/T/go-build395049258=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Open http connection to a remote server using internal certificate. Web browsers have no issue accepting the certificate.

A workaround is to set the issuing CA to Always Trust in the keychain. Using system defaults does not work.

Basically this seems to be the same issue as #30471 or #30672 except I get a failure even with CGO_ENABLED=0.

What did you expect to see?

No error.

What did you see instead?

x509: certificate signed by unknown authority

@mariusgrigoriu
Copy link
Author

@mariusgrigoriu mariusgrigoriu commented Nov 16, 2019

@FiloSottile I think we're still having issues with certificate trust settings on mac os.

@FiloSottile
Copy link
Member

@FiloSottile FiloSottile commented Nov 16, 2019

Thanks for the report, can you give us the output of GODEBUG=x509roots=1 go test -v -run TestSystemRoots crypto/x509?

@mariusgrigoriu
Copy link
Author

@mariusgrigoriu mariusgrigoriu commented Nov 17, 2019

The test passes in both cases. However, when the certificate is set to "Use System Defaults" it does not even appear in the debug output. It does appear when set to "Always Trust."

@andybons andybons added this to the Unplanned milestone Nov 18, 2019
@emberquill
Copy link

@emberquill emberquill commented Dec 26, 2019

I'm experiencing the same issue on macOS Mojave, running go 1.13.4.

The certificate chain in our environment has two intermediate CAs between the Root CA and the site certificate. If the site certificate's issuing CA isn't marked as Always Trusted, then trust isn't inherited, even though the Root CA is always trusted.

I was going to post the code snippet that was failing, but even just http.Get("https://www.google.com") fails with the same error.

@FiloSottile
Copy link
Member

@FiloSottile FiloSottile commented Dec 26, 2019

@emberquill is the intermediate served by the TLS server, or is it relying on finding it in the keychain? Because that's something we don't do (and would be very hard to do with our API): take untrusted certificates from the keychain and pour them into the intermediates pool.

As a workaround you can make sure the server provides a full chain to the root.

@FiloSottile FiloSottile changed the title crypto/x509: Trust setting not inherited on darwin crypto/x509: untrusted intermediates are not used on macOS Dec 26, 2019
@emberquill
Copy link

@emberquill emberquill commented Dec 27, 2019

It's an issue with my employer's local network rather than the site I'm trying to access. Our network proxy performs TLS inspection, so traffic ends up signed by an internal CA, and the root and intermediaries are all in the Keychain. The Root CA is always trusted, but the two intermediate CAs are set to "Use System Defaults" in the Keychain and thus trigger this error in Go.

Changing the intermediate CAs to Always Trusted is a sufficient workaround for me.

@FiloSottile
Copy link
Member

@FiloSottile FiloSottile commented Dec 29, 2019

Can you confirm that the proxy doesn't send the intermediate in the TLS handshake?

@mariusgrigoriu
Copy link
Author

@mariusgrigoriu mariusgrigoriu commented Jun 17, 2020

I thought I saw an overhaul to how Go interacts with the keychain, but lost the link. Would that change solve this issue?

@rolandshoemaker
Copy link
Member

@rolandshoemaker rolandshoemaker commented Jun 17, 2020

CL 227037 changed how the macOS API is called, but didn't change how intermediates in the keychain are treated, they are still ignored.

@andig

This comment was marked as off-topic.

@FiloSottile

This comment was marked as off-topic.

@andig

This comment was marked as off-topic.

@FiloSottile

This comment was marked as off-topic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants
You can’t perform that action at this time.