Skip to content

crypto/x509: http.Response.TLS.VerifiedChains behavior changed in go1.9 #24685

Closed
@nolith

Description

@nolith

Hello, I've found a behavior change in go1.9.x

What version of Go are you using (go version)?

this is a comparison between go version go1.9.5 linux/amd64, go version go1.10.1 linux/amd64 and go version go1.8.7 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

It affects linux, it can be reproduced using golang docker images

What did you do?

I prepared a small POC with automated execution in CI.

https://gitlab.com/nolith-tests/go-lang-tls-connection-state/blob/master/main.go

The relevant part is in this function

func dumpConnectionState(url string) {
	fmt.Println("URL", url, "with", runtime.Version())
	r, err := http.Head(url)
	if err != nil {
		panic(err)
	}

	fmt.Println("VerifiedChains len", len(r.TLS.VerifiedChains))
	for i, verifiedChain := range r.TLS.VerifiedChains {
		fmt.Println("Chain #", i)
		for j, certificate := range verifiedChain {
			signature := hex.EncodeToString(certificate.Signature)
			fmt.Println("[", j, "] =>", certificate.Subject.CommonName, signature)
		}
	}
}

This function will perform HTTPS HEAD request and then dump the VerifiedChains,
in a vanilla Linux environment, this program behaves exactly the same if compiled with go1.8.7 or go1.9.5

But when the leaf certificate is added to /etc/ssl/certs/ go1.8 will still dump the whole chain,
but go1.9 will print only the leaf certificate skipping the rest of the chain.

The test has been automated with this .gitlab-ci.yml configuration

What did you expect to see?

I did expect to have the same content in http.Response.TLS.VerifiedChains regardless of go version.

What did you see instead?

go 1.8.7 output
go 1.9.5 output
go 1.10.1 output

compare 1.8.7 and 1.9.5 outputs

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions