Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509, net/http: HTTP POST to Italian government web service fails with "x509: unhandled critical extension" error on Linux host #55872

Open
genesio-systemlogic opened this issue Sep 26, 2022 · 4 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@genesio-systemlogic
Copy link

genesio-systemlogic commented Sep 26, 2022

What version of Go are you using (go version)?

go version go1.19.1 linux/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/fatel/.cache/go-build"
GOENV="/home/fatel/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/fatel/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/fatel/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.19.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/opt/dev/test/go.mod"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1176337918=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I call an Italian government web service to fetch company information.
IMPORTANT: I don't know when this started to fail (the service is rarely used in production)
it works without issues on Windows 11 x64 development laptop

REPRO:
https://go.dev/play/p/rBzkcc1XgDP

What did you expect to see?

a JSON response

What did you see instead?

"x509: unhandled critical extension" error

@genesio-systemlogic
Copy link
Author

genesio-systemlogic commented Sep 26, 2022

I have multiple reports of Mac and Windows to be working just fine, while Linux hosts are not working.

As a workaround I can set InsecureSkipVerify = true on TLS configuration

@derekmwright
Copy link

derekmwright commented Sep 26, 2022

There may be some differences in the certificates that are provided to clients based on network location due to CDNs and other regionalized endpoints. From a US based location, I do not receive a full Server + CA chain with my request, just the Server certificate and it functions as expected. I had @genesio-systemlogic provide the full cert chain he was receiving and looked at all certificates presented and the intermediate certificate is using a currently unsupported critical extension oid: 2.5.29.30 - Name Constraints.

Offending certificate is:

-----BEGIN CERTIFICATE-----
MIIITzCCBjegAwIBAgIQSv461Rn2Ket4cZJ9881cBzANBgkqhkiG9w0BAQsFADBr
MQswCQYDVQQGEwJJVDEOMAwGA1UEBwwFTWlsYW4xIzAhBgNVBAoMGkFjdGFsaXMg
Uy5wLkEuLzAzMzU4NTIwOTY3MScwJQYDVQQDDB5BY3RhbGlzIEF1dGhlbnRpY2F0
aW9uIFJvb3QgQ0EwHhcNMjExMTI0MTAyNDI3WhcNMzAwOTIyMTEyMjAyWjCBmjEL
MAkGA1UEBhMCSVQxDTALBgNVBAcMBFJvbWExJjAkBgNVBAoMHUFnZW56aWEgcGVy
IGwnSXRhbGlhIERpZ2l0YWxlMTcwNQYDVQQLDC5BcmVhIFNvbHV6aW9uaSBwZXIg
bGEgUHViYmxpY2EgQW1taW5pc3RyYXppb25lMRswGQYDVQQDDBJBZ0lEIENBIFNT
TCBTRVJWRVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwlT6Kb/uM
EsXXRWj6SSijOaV1IvfA+LFV4oMvereoqsLUssoJSaF+7tklP0MsIMpoZRq0Rdzv
q05pMvrZKeVA4RarBAzjEe5FMdZEx1pZH918pS/aR6ufEj9VOZfST8JXZM49TaPJ
ukJAYdxdjkBV+bLbRTrVr2rhllcNKesbazxWIdZ2Mj0aMS4a3JqN1wdu7qSCCd5F
75A5xBlFESzPAeCN1BhRv684kplmr7W2KMa2p7TmagDx7XVAPCwI0Rc3PBUepqVG
m4NVfGByxqmr3KlIuuHuSAfhLUXzia5+SkjRVVboHs/si0ItkI2Kt/FntOPV/VDD
+AsL5XqVd0QtAgMBAAGjggO9MIIDuTASBgNVHRMBAf8ECDAGAQH/AgEAMB8GA1Ud
IwQYMBaAFFLYiDrIn3hm7YnzezhwlMkCAjbQMH0GCCsGAQUFBwEBBHEwbzA6Bggr
BgEFBQcwAoYuaHR0cDovL2NhY2VydC5hY3RhbGlzLml0L2NlcnRzL2FjdGFsaXMt
YXV0cm9vdDAxBggrBgEFBQcwAYYlaHR0cDovL29jc3AwNy5hY3RhbGlzLml0L1ZB
L0FVVEgtUk9PVDCCAX0GA1UdHgEB/wSCAXEwggFtoIIBNzATghFhZ2VuZGFkaWdp
dGFsZS5pdDASghBhZ2lkLWNhMS10ZXN0Lml0MAmCB2FnaWQuaXQwCYIHYWlwYS5p
dDANggtjZXJ0LXNwYy5pdDAOggxjcmNpdGFsaWEuaXQwHIIaZGlmZW5zb3JlY2l2
aWNvZGlnaXRhbGUuaXQwEoIQZGlnaXRhbGFnZW5kYS5pdDAMggpkaWdpdHBhLml0
MAiCBmdvdi5pdDALgglpdGFsaWEuaXQwCoIIY25pcGEuaXQwDIIKY2VydC1wYS5p
dDANggtpbmRpY2VwYS5pdDBXpFUwUzELMAkGA1UEBhMCSVQxDTALBgNVBAgMBFJv
bWExDTALBgNVBAcMBFJvbWExJjAkBgNVBAoMHUFnZW56aWEgcGVyIGwnSXRhbGlh
IERpZ2l0YWxloTAwCocIAAAAAAAAAAAwIocgAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAwTgYDVR0gBEcwRTBDBgUrTBADATA6MDgGCCsGAQUFBwIBFixo
dHRwOi8vd3d3LmFnaWQuZ292Lml0L2NlcnRpZmljYXRpLWZpcm1hLXBlYzAdBgNV
HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwgeMGA1UdHwSB2zCB2DCBlqCBk6CB
kIaBjWxkYXA6Ly9sZGFwMDcuYWN0YWxpcy5pdC9jbiUzZEFjdGFsaXMlMjBBdXRo
ZW50aWNhdGlvbiUyMFJvb3QlMjBDQSxvJTNkQWN0YWxpcyUyMFMucC5BLiUyZjAz
MzU4NTIwOTY3LGMlM2RJVD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0O2JpbmFy
eTA9oDugOYY3aHR0cDovL2NybDA3LmFjdGFsaXMuaXQvUmVwb3NpdG9yeS9BVVRI
LVJPT1QvZ2V0TGFzdENSTDAdBgNVHQ4EFgQUKremELaGP0O4/c9K+oi/MpMjz7Qw
DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAAWPYXrzV8n7zmZ3z0
bPemtIS4lYKLNMyJmwG92IgpMjPhpakP7uXXKZHizy9L92+NQjhbLI2m7lZ7ir+V
25yE7dimv9T/KZZOM/DZSJbCyWwXukWWxgOLm8pvVTUiwynnlEStk3ACERPleXof
eplcovyVS8kMVCzHa0CZ4jkIh724jLG70XKfX2h5LkB35vBZfHgvCDsRB9rVgS9o
dvhUPyfDkZuxgzqOR8zbY0Y+px3IwZGARTtyMlrmAHtMGexqMI6QJyJJ0FE6u4Bo
oX2fvNMqP82jgBtPWDXS9HfeCHDYyhEtiEnHBUJF0Qy0r8TFGxADDA9NxxmcjCbn
28aF7gQDUnSWF0cpvi0net8NiHUSst+jBhd5aJ78AUhxWqvJVAyxCG9KPj+3Njqy
RA6ZciCF5gJO2SSwumDsckVokQSurqQSbSBf7gRBNy3OT1GLHVSB9FAkTHhpOV3+
4rJ90x53BBuuWTGM8cgABQw+M5Jr+YwnB6020hjYH0UjiOY4tJqrkmC9xkNmy2Xw
yijgLZg/p3qkHajoe8xXsrQfuxp62lrsOApxj5lNdWwyIAabmNpdY/sqzj1t8CIq
FA/w1bH97HVStzgY6hull+8YH59q48BZVpCWkEyxolLfjPkDIm1gmTyvgnD7t5NB
PU5b2v4fMwjYYiUBZWxzucog6A==
-----END CERTIFICATE-----

Looks like there may be an issue already open for supporting this extension as critical, please reference: #15196

@dmitshur dmitshur changed the title HTTP POST to Italian government web service fails with "x509: unhandled critical extension" error on Linux host crypto/x509, net/http: HTTP POST to Italian government web service fails with "x509: unhandled critical extension" error on Linux host Sep 26, 2022
@dmitshur dmitshur added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Sep 26, 2022
@dmitshur dmitshur added this to the Backlog milestone Sep 26, 2022
@dmitshur
Copy link
Contributor

dmitshur commented Sep 26, 2022

CC @golang/security.

@FiloSottile
Copy link
Contributor

FiloSottile commented Sep 26, 2022

It's this WebPKI intermediate root: https://crt.sh/?id=5715019745&opt=cablint,x509lint,zlint

It's working on Windows and macOS because the chain is being verified by the platform verifier, while on Linux we use our own. We do support critical name constraints, but this certificate also has a DN constraint, regrettably, which we don't support (#15196).

They're a huge headache, but if they're showing up in the WebPKI we might have to bite the bullet and support them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

4 participants