Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Default TLS cert uses negative serial number #895

Open
sblackstone opened this issue Aug 27, 2024 · 5 comments
Open

Default TLS cert uses negative serial number #895

sblackstone opened this issue Aug 27, 2024 · 5 comments

Comments

@sblackstone
Copy link

sblackstone commented Aug 27, 2024

The default certificate created by the docker container sometimes contains a negative serial number.

A TLS certificate with a negative serial number is invalid, although some software has historically tolerated this.

As of Golang 1.23, x509.ParseCertificate explicitly rejects these certificates, this impacts microsoft/go-mssqldb such that it can no longer connect to the docker container due to the the invalid certificate.

I think the proper place to fix this is in the docker repo, a TLS cert with an invalid serial number is not a valid TLS cert.

See: https://tip.golang.org/doc/go1.23#cryptox509pkgcryptox509

@giautm
Copy link

giautm commented Aug 27, 2024

Hey @sblackstone, I have the same issue here. However I noticed that the issue happens randomly during the boot process of the container, sometimes it generates the correct serial number and the client can connect to it.

Do we have any way to workaround before this issue gets fixed? Like runs the command to re-generate certs or provide a custom via mount.

Related: microsoft/go-mssqldb#217

@sblackstone
Copy link
Author

sblackstone commented Aug 27, 2024

Hey @sblackstone, I have the same issue here. However I noticed that the issue happens randomly during the boot process of the container, sometimes it generates the correct serial number and the client can connect to it.

Do we have any way to workaround before this issue gets fixed? Like runs the command to re-generate certs or provide a custom via mount.

Related: microsoft/go-mssqldb#217

I created my own cert as part of a custom image.

RUN openssl req -x509 -nodes -newkey rsa:2048 -subj '/CN=mssql' -addext "subjectAltName = DNS:mssql" -keyout /etc/ssl/private/mssql.key -out /etc/ssl/certs/mssql.pem -days 365
RUN chmod 400 /etc/ssl/private/mssql.key
RUN chmod 400 /etc/ssl/certs/mssql.pem
RUN mkdir -p /var/opt/mssql
COPY mssql.conf /var/opt/mssql/mssql.conf

and mssql.conf looks like:

[network]
tlscert = /etc/ssl/certs/mssql.pem
tlskey = /etc/ssl/private/mssql.key
tlsprotocols = 1.2
forceencryption = 1

@giautm
Copy link

giautm commented Sep 4, 2024

To workaround after upgrade to go1.23, we can enable the x509negativeserial setting using godebug directive in the go.mod file.

go 1.23

godebug (
	x509negativeserial=1
)

Thiht added a commit to Thiht/transactor that referenced this issue Oct 2, 2024
See microsoft/go-mssqldb#217 , microsoft/mssql-docker#895
The mssql tests currently fail with the error:"TLS Handshake failed: tls: failed to parse certificate from server: x509: negative serial number"
jimmykarily added a commit to kairos-io/AuroraBoot that referenced this issue Nov 11, 2024
Not sure why the asus certs have a negative serial number but they do.
If the asus box had that others might too, so we should better support
it. The alternative would be to generate certs with positive serial
number for the tests.

https://github.com/golang/go/blob/master/src/crypto/x509/parser.go#L1014-L1018
microsoft/mssql-docker#895 (comment)

Signed-off-by: Dimitris Karakasilis <[email protected]>
jimmykarily added a commit to kairos-io/AuroraBoot that referenced this issue Nov 12, 2024
Not sure why the asus certs have a negative serial number but they do.
If the asus box had that others might too, so we should better support
it. The alternative would be to generate certs with positive serial
number for the tests.

https://github.com/golang/go/blob/master/src/crypto/x509/parser.go#L1014-L1018
microsoft/mssql-docker#895 (comment)

Signed-off-by: Dimitris Karakasilis <[email protected]>
jimmykarily added a commit to kairos-io/AuroraBoot that referenced this issue Nov 12, 2024
Not sure why the asus certs have a negative serial number but they do.
If the asus box had that others might too, so we should better support
it. The alternative would be to generate certs with positive serial
number for the tests.

https://github.com/golang/go/blob/master/src/crypto/x509/parser.go#L1014-L1018
microsoft/mssql-docker#895 (comment)

Signed-off-by: Dimitris Karakasilis <[email protected]>
jimmykarily added a commit to kairos-io/AuroraBoot that referenced this issue Nov 12, 2024
* Port genkey command from enki

as part of kairos-io/kairos#1633

Signed-off-by: Dimitris Karakasilis <[email protected]>

* Port genkey e2e test and don't use viper

Signed-off-by: Dimitris Karakasilis <[email protected]>

* Run the genkey tests in CI

Signed-off-by: Dimitris Karakasilis <[email protected]>

* Allow certs with negative serial numbers

Not sure why the asus certs have a negative serial number but they do.
If the asus box had that others might too, so we should better support
it. The alternative would be to generate certs with positive serial
number for the tests.

https://github.com/golang/go/blob/master/src/crypto/x509/parser.go#L1014-L1018
microsoft/mssql-docker#895 (comment)

Signed-off-by: Dimitris Karakasilis <[email protected]>

* Remove focus

Signed-off-by: Dimitris Karakasilis <[email protected]>

---------

Signed-off-by: Dimitris Karakasilis <[email protected]>
@j2gg0s
Copy link

j2gg0s commented Nov 22, 2024

Hey @sblackstone, I have the same issue here. However I noticed that the issue happens randomly during the boot process of the container, sometimes it generates the correct serial number and the client can connect to it.
Do we have any way to workaround before this issue gets fixed? Like runs the command to re-generate certs or provide a custom via mount.
Related: microsoft/go-mssqldb#217

I created my own cert as part of a custom image.

RUN openssl req -x509 -nodes -newkey rsa:2048 -subj '/CN=mssql' -addext "subjectAltName = DNS:mssql" -keyout /etc/ssl/private/mssql.key -out /etc/ssl/certs/mssql.pem -days 365
RUN chmod 400 /etc/ssl/private/mssql.key
RUN chmod 400 /etc/ssl/certs/mssql.pem
RUN mkdir -p /var/opt/mssql
COPY mssql.conf /var/opt/mssql/mssql.conf

and mssql.conf looks like:

[network]
tlscert = /etc/ssl/certs/mssql.pem
tlskey = /etc/ssl/private/mssql.key
tlsprotocols = 1.2
forceencryption = 1

When generating certificates using OpenSSL, you can specify -set_serial to avoid potential overflow issues.

Thiht added a commit to Thiht/transactor that referenced this issue Dec 30, 2024
The `go:debug x509negativeserial=1` fixes the certificate issue with the mssql server image
See: microsoft/mssql-docker#895
@Thiht
Copy link

Thiht commented Dec 31, 2024

To workaround after upgrade to go1.23, we can enable the x509negativeserial setting using godebug directive in the go.mod file.

go 1.23

godebug (
x509negativeserial=1
)

In my case this didn't work because I connected to the mssql container from a _test file. The directive from the go.mod is apparently not used when running tests, not sure if it's a bug with go test or if it's a documented behaviour.

A working solution was to use the //go:debug x509negativeserial=1 directive before the first line (ie. before package xxx_test) in my test file instead of the go.mod directive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants