Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: ExampleDial failing #35706

Open
FrankReh opened this issue Nov 20, 2019 · 4 comments
Open

crypto/tls: ExampleDial failing #35706

FrankReh opened this issue Nov 20, 2019 · 4 comments

Comments

@FrankReh
Copy link

@FrankReh FrankReh commented Nov 20, 2019

What version of Go are you using (go version)?

$ go version
go1.13.4

Does this issue reproduce with the latest release?

Same failure with go1.13.4 under OS X and Ubuntu.
Same solution below works on both.

What operating system and processor architecture are you using (go env)?

What did you do?

Built and ran the example from https://golang.org/pkg/crypto/tls/#Dial

What did you expect to see?

Expected it to pass.

What did you see instead?

The program failed. The root pem is not currently valid.

I found a CA pem that does make the program succeed. By
changing the hard coded string in the example, the example program works again.
It follows:

// From /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R2.crt
const rootPEM = `
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
-----END CERTIFICATE-----`

@agnivade agnivade changed the title Failing example at https://golang.org/pkg/crypto/tls/#Dial crypto/tls: ExampleDial failing Nov 20, 2019
@agnivade

This comment has been minimized.

Copy link
Contributor

@agnivade agnivade commented Nov 20, 2019

Thanks, we should also probably add a // Output: so that it does not regress in the future.

@agnivade agnivade added this to the Unplanned milestone Nov 20, 2019
@FrankReh

This comment has been minimized.

Copy link
Author

@FrankReh FrankReh commented Nov 20, 2019

Maybe no // Output: was provided because you wouldn't want this to fail in a source tree that was already released. It could lead people to believe something about the tls package had broken when in fact was just a website or a website's certificate that had changed. Perhaps a comment about how this might fail in the future if someone like me stumbles on it wanting to run it locally as a main program.

I ran into it because I was getting an odd TLS certificate failure on my darwin system and I had seen work recently regarding others having TLS issues too with their darwin systems. When I ran this locally and it failed, I was misled in thinking it was something about my darwin release or the golang stdlib. Lucky I tried the same program on a Linux machine before filing a bug and found it fail there too. That's when I found there was a system certificate that would make it work, just not the one hard coded in the example.

@agnivade

This comment has been minimized.

Copy link
Contributor

@agnivade agnivade commented Nov 20, 2019

Ah, that might be why. /cc @FiloSottile

@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Jan 1, 2020

Change https://golang.org/cl/212601 mentions this issue: crypto/tls: update ExampleDial with a valid cert

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.