-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/x509, net/http: HTTP POST to Italian government web service fails with "x509: unhandled critical extension" error on Linux host #55872
Comments
I have multiple reports of Mac and Windows to be working just fine, while Linux hosts are not working. As a workaround I can set InsecureSkipVerify = true on TLS configuration |
There may be some differences in the certificates that are provided to clients based on network location due to CDNs and other regionalized endpoints. From a US based location, I do not receive a full Server + CA chain with my request, just the Server certificate and it functions as expected. I had @genesio-systemlogic provide the full cert chain he was receiving and looked at all certificates presented and the intermediate certificate is using a currently unsupported critical extension Offending certificate is:
Looks like there may be an issue already open for supporting this extension as critical, please reference: #15196 |
CC @golang/security. |
It's this WebPKI intermediate root: https://crt.sh/?id=5715019745&opt=cablint,x509lint,zlint It's working on Windows and macOS because the chain is being verified by the platform verifier, while on Linux we use our own. We do support critical name constraints, but this certificate also has a DN constraint, regrettably, which we don't support (#15196). They're a huge headache, but if they're showing up in the WebPKI we might have to bite the bullet and support them. |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
I call an Italian government web service to fetch company information.
IMPORTANT: I don't know when this started to fail (the service is rarely used in production)
it works without issues on Windows 11 x64 development laptop
REPRO:
https://go.dev/play/p/rBzkcc1XgDP
What did you expect to see?
a JSON response
What did you see instead?
"x509: unhandled critical extension" error
The text was updated successfully, but these errors were encountered: