crypto/tls: alertError not wrapped in exported AlertError

[tobyjwebb]

Go version

go version go1.23.5 linux/amd64 (also tested with go version devel go1.24-ce7ea0a Thu Jan 30 13:39:38 2025 -0800 linux/amd64)

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/user/.cache/go-build'
GOENV='/home/user/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/user/DATA/data/tools/go/pkg/mod'
GONOPROXY='<...>'
GONOSUMDB='<...>'
GOOS='linux'
GOPATH='/home/user/DATA/data/tools/go'
GOPRIVATE='<...>'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/lib/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/lib/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.5'
GODEBUG=''
GOTELEMETRY='on'
GOTELEMETRYDIR='/home/user/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/home/user/gotests/reproduce_errors_as_tls/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build622328545=/tmp/go-build -gno-record-gcc-switches'

What did you do?

As part of a project I'm working on, I need to detect any TLS issue that occurs while making an HTTP request. I want to use errors.As() to detect any of the publicly-defined errors in the crypto/tls package, but it seems that when the error is wrapped, it's wrapping an unexported error (alert), instead of the exported error (AlertError).

An example of when this is thrown is:

var errCertificateInvalid x509.CertificateInvalidError
if errors.As(err, &x509.UnknownAuthorityError{}) {
	c.sendAlert(alertUnknownCA)

In this playground I provide an example of what is happening, loosely copying the standard library's logic:

https://go.dev/play/p/C86SGCqYXCh

(This could probably be fixed easily by using something like c.sendAlert(AlertError(alertUnknownCA)) or similar in the standard library)

What did you see happen?

GOOD: error is an AlertError
BAD: error is not an AlertError

What did you expect to see?

GOOD: error is an AlertError
GOOD: error is an AlertError

[gabyhelp]

Related Issues

• proposal: crypto/tls: expose TLS alert type for more precise error checks #35234
• crypto/tls: client auth failure alert codes can be improved #52113 (closed)
• crypto: Many APIs return errors caused by other errors, without allowing unwrapping #58365
• proposal: crypto/tls: Export TLS errors / alerts #56691 (closed)
• crypto/x509: Verify on macOS does not return typed errors #56891 (closed)
• crypto/x509: Certificate.Verify does not consistently return UnknownAuthorityError #58777
• crypto/x509: Certificate.Verify on darwin no longer returns UnknownAuthorityError when the system verifier is used #53401 (closed)
• crypto/x509: go1.18 stops returning typed errors when using system roots on darwin #52010 (closed)
• crypto/tls: missing alert values #35911 (closed)

Related Code Changes

• crypto/x509: expose UnknownAuthorityError.Cert

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[ianlancetaylor]

CC @golang/security