Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: TLS connection problems due to cert verification failure #993

Closed
gopherbot opened this issue Aug 2, 2010 · 8 comments
Closed

crypto/x509: TLS connection problems due to cert verification failure #993

gopherbot opened this issue Aug 2, 2010 · 8 comments

Comments

@gopherbot
Copy link

@gopherbot gopherbot commented Aug 2, 2010

by tav@espians.com:

There is an issue with the TLS certifcate verification mechanism. Trying to connect to
say
https://ampifyit.appspot.com (Google App Engine) with:

    cxn, _ := tls.Dial("tcp", "", "ampifyit.appspot.com:443")
    _, err := cxn.Write([]byte("GET / HTTP/1.1\r\n\r\n"))

    if err != nil {
        fmt.Printf("%s\n", err)
    }

Will result in the connection failing with a bad certificate alert:

    local error: bad certificate

The problem is caused by the following line in crypto/tls/ca_set:

        func (s *CASet) FindParent(cert *x509.Certificate) (parent *x509.Certificate) {
            if len(cert.AuthorityKeyId) > 0 {
=>              return s.bySubjectKeyId[string(cert.AuthorityKeyId)]
            }
            return s.byName[nameToKey(&cert.Issuer)]
        }

That is, it fails to find a match for the Authority Key Identifier in the CA set's
Subject Key Identifier -> Root Certificate mapping.

I'm slightly lost as to why it's happening. The certificate chain looks like:

    *.appspot.com
    Google Internet Authority
    Equifax Secure Certificate Authority

I initially thought that the problem might be due to the intermediate certificate, but
that doesn't seem to be the issue. The code seems to pass along the last certificate
in the received chain to the FindParent() call, and it works fine when the function
uses just the byName lookup:

  US/Equifax/Equifax Secure Certificate Authority

The issue seems to be when the CASet is parsed and loaded using SetFromPEM(). The
SubjectKeyId for the Equifax certificate in question doesn't match up.

It returns:

    04:14:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

When it should be:

    48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

I have no idea where the leading 04:14 appears from.

I'm guessing that the issue is somewhere in x509.parseCertificate()?

Or, perhaps, with the formatting of the CURL CA bundle that's used on OS X 10.5?
The ASCII matches up though...

            X509v3 Authority Key Identifier: 
                keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

            X509v3 Subject Key Identifier: 
                48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

Anyways, sorry to not be of more help — my ASN.1-fu is non-existent =(

Let me know if there's any other info I could provide.

-- Cheers, tav
@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Aug 2, 2010

Comment 1:

You deleted the part of the bug report template which asked you to run "hg identify" and
include what version of Go you were using.
@gopherbot
Copy link
Author

@gopherbot gopherbot commented Aug 2, 2010

Comment 2 by tav@espians.com:

Sorry, I figured that OS X 10.5's Curl CA-bundle was the only relevant version
information — and many of the existing issues that I'd seen seemed to skip the "hg
identify" part when talking about the current tip...
In any case, hope this helps:
  revision: f207af8c2d29+ tip/master
  os: darwin
  arch: 386
@rsc
Copy link
Contributor

@rsc rsc commented Aug 2, 2010

Comment 3:

agl - feel free to flip back if you're overloaded

Owner changed to a...@golang.org.

@agl
Copy link
Contributor

@agl agl commented Aug 2, 2010

Comment 4:

Looks like I've screwed up. 0x0414 would be the ASN.1 for "here's a 20 byte OCTET
STRING".
Will fix tomorrow.
@agl
Copy link
Contributor

@agl agl commented Aug 3, 2010

@agl
Copy link
Contributor

@agl agl commented Aug 3, 2010

Comment 6:

This issue was closed by revision 7748a7f.

Status changed to Fixed.

@gopherbot
Copy link
Author

@gopherbot gopherbot commented Aug 3, 2010

Comment 7 by tav@espians.com:

Thanks for the quick fix Adam.
-- impressed as ever, tav
@agl
Copy link
Contributor

@agl agl commented Aug 3, 2010

Comment 8:

(Do let me know if it doesn't actually solve the issue for you. I checked the output of
ParseCertificate, but I didn't try to connect to a GIA site.)
@gopherbot gopherbot added fixed labels Aug 3, 2010
@mikioh mikioh changed the title TLS connection problems due to cert verification failure crypto/x509: TLS connection problems due to cert verification failure Jan 14, 2015
@golang golang locked and limited conversation to collaborators Jun 24, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.