affected/package: crypto/tls cert.Verify does not work on Ubuntu 22.04

[CaledoniaProject]

What version of Go are you using (go version)?

$ go version
go version go1.20.3 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOENV="/root/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/root/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/root/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/root/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/root/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.3"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build63435269=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I have a golang program, I need to access a TLS port and get the following information

1. DNSNames from all peer certificates
2. Whether the certificate is valid

So I need to enable InsecureSkipVerify, but golang does not recognize the root certificate somehow. e.g curl believes www.bing.com has a valid certificate, but not according to x509.Verify.

My test code can verify the certificate on MacOS, but not on Ubuntu 22.04 server, does anyone know what's wrong?

# /root/go/bin/go run http-test.go
[] x509: certificate signed by unknown authority

Full source code

package main

import (
	"context"
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"log"
	"net"
	"time"
)

func main() {
	var (
		dialer net.Dialer
	)

	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
	defer cancel()

	netConn, err := dialer.DialContext(ctx, "tcp", "www.bing.com:443")
	if err != nil {
		log.Fatalf(err.Error())
	}
	defer netConn.Close()

	conn := tls.Client(netConn, &tls.Config{
		InsecureSkipVerify: true,
	})
	if err := conn.Handshake(); err != nil {
		log.Fatalf(err.Error())
	}
	defer conn.Close()

	rootCerts, err := x509.SystemCertPool()
	if err != nil {
		log.Fatalf(err.Error())
	}

	for _, cert := range conn.ConnectionState().PeerCertificates {
		chain, err := cert.Verify(x509.VerifyOptions{
			DNSName: "www.bing.com",
			Roots:   rootCerts,
		})
		fmt.Println(chain, err)

		break
	}
}

What did you expect to see?

x509.Verify returns successfully

What did you see instead?

[] x509: certificate signed by unknown authority

[seankhliao]

The cert store only holds roots, your checking a leaf, missing the intermediates.
This is an incorrect usage of Verify, a proper example can be seen in crypto/tls.
MacOS hands it off to the system verifier.

Unlike many projects, the Go project does not use GitHub Issues for general discussion or asking questions. GitHub Issues are used for tracking bugs and proposals only.

For questions please refer to https://github.com/golang/go/wiki/Questions

[CaledoniaProject]

The example worked great for me: https://pkg.go.dev/crypto/tls#example-Config-VerifyConnection
I posted it here because no one is resolve this on stackoverflow.