Description
Hello, I've found a behavior change in go1.9.x
What version of Go are you using (go version
)?
this is a comparison between go version go1.9.5 linux/amd64
, go version go1.10.1 linux/amd64
and go version go1.8.7 linux/amd64
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (go env
)?
It affects linux, it can be reproduced using golang
docker images
What did you do?
I prepared a small POC with automated execution in CI.
https://gitlab.com/nolith-tests/go-lang-tls-connection-state/blob/master/main.go
The relevant part is in this function
func dumpConnectionState(url string) {
fmt.Println("URL", url, "with", runtime.Version())
r, err := http.Head(url)
if err != nil {
panic(err)
}
fmt.Println("VerifiedChains len", len(r.TLS.VerifiedChains))
for i, verifiedChain := range r.TLS.VerifiedChains {
fmt.Println("Chain #", i)
for j, certificate := range verifiedChain {
signature := hex.EncodeToString(certificate.Signature)
fmt.Println("[", j, "] =>", certificate.Subject.CommonName, signature)
}
}
}
This function will perform HTTPS HEAD request and then dump the VerifiedChains
,
in a vanilla Linux environment, this program behaves exactly the same if compiled with go1.8.7 or go1.9.5
But when the leaf certificate is added to /etc/ssl/certs/
go1.8 will still dump the whole chain,
but go1.9 will print only the leaf certificate skipping the rest of the chain.
The test has been automated with this .gitlab-ci.yml
configuration
What did you expect to see?
I did expect to have the same content in http.Response.TLS.VerifiedChains
regardless of go version.