-
Notifications
You must be signed in to change notification settings - Fork 761
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default TLS cert uses negative serial number #895
Comments
Hey @sblackstone, I have the same issue here. However I noticed that the issue happens randomly during the boot process of the container, sometimes it generates the correct serial number and the client can connect to it. Do we have any way to workaround before this issue gets fixed? Like runs the command to re-generate certs or provide a custom via mount. Related: microsoft/go-mssqldb#217 |
I created my own cert as part of a custom image.
and mssql.conf looks like:
|
To workaround after upgrade to go1.23, we can enable the go 1.23
godebug (
x509negativeserial=1
) |
See microsoft/go-mssqldb#217 , microsoft/mssql-docker#895 The mssql tests currently fail with the error:"TLS Handshake failed: tls: failed to parse certificate from server: x509: negative serial number"
Not sure why the asus certs have a negative serial number but they do. If the asus box had that others might too, so we should better support it. The alternative would be to generate certs with positive serial number for the tests. https://github.com/golang/go/blob/master/src/crypto/x509/parser.go#L1014-L1018 microsoft/mssql-docker#895 (comment) Signed-off-by: Dimitris Karakasilis <[email protected]>
Not sure why the asus certs have a negative serial number but they do. If the asus box had that others might too, so we should better support it. The alternative would be to generate certs with positive serial number for the tests. https://github.com/golang/go/blob/master/src/crypto/x509/parser.go#L1014-L1018 microsoft/mssql-docker#895 (comment) Signed-off-by: Dimitris Karakasilis <[email protected]>
Not sure why the asus certs have a negative serial number but they do. If the asus box had that others might too, so we should better support it. The alternative would be to generate certs with positive serial number for the tests. https://github.com/golang/go/blob/master/src/crypto/x509/parser.go#L1014-L1018 microsoft/mssql-docker#895 (comment) Signed-off-by: Dimitris Karakasilis <[email protected]>
* Port genkey command from enki as part of kairos-io/kairos#1633 Signed-off-by: Dimitris Karakasilis <[email protected]> * Port genkey e2e test and don't use viper Signed-off-by: Dimitris Karakasilis <[email protected]> * Run the genkey tests in CI Signed-off-by: Dimitris Karakasilis <[email protected]> * Allow certs with negative serial numbers Not sure why the asus certs have a negative serial number but they do. If the asus box had that others might too, so we should better support it. The alternative would be to generate certs with positive serial number for the tests. https://github.com/golang/go/blob/master/src/crypto/x509/parser.go#L1014-L1018 microsoft/mssql-docker#895 (comment) Signed-off-by: Dimitris Karakasilis <[email protected]> * Remove focus Signed-off-by: Dimitris Karakasilis <[email protected]> --------- Signed-off-by: Dimitris Karakasilis <[email protected]>
When generating certificates using OpenSSL, you can specify -set_serial to avoid potential overflow issues. |
The `go:debug x509negativeserial=1` fixes the certificate issue with the mssql server image See: microsoft/mssql-docker#895
In my case this didn't work because I connected to the mssql container from a A working solution was to use the |
The default certificate created by the docker container sometimes contains a negative serial number.
A TLS certificate with a negative serial number is invalid, although some software has historically tolerated this.
As of Golang 1.23,
x509.ParseCertificate
explicitly rejects these certificates, this impactsmicrosoft/go-mssqldb
such that it can no longer connect to the docker container due to the the invalid certificate.I think the proper place to fix this is in the docker repo, a TLS cert with an invalid serial number is not a valid TLS cert.
See: https://tip.golang.org/doc/go1.23#cryptox509pkgcryptox509
The text was updated successfully, but these errors were encountered: