FAQ
Hi,


We have used golang 1.4 to create a Client on a Linux Machine.
We came across an issue while attempting to communicate to our Windows
Server using HTTPS.
On analyzing, an error was thrown by the crypto/x509 package. The error was
: 'x509: negative serial number'.

We generate & use a self-signed certificate at the Server. It was found
that the Serial Number of the Certificate was '*9*3:C0.....'.
Since golang assigns SerialNumber as bit.Int (Signed). It considers this to
be Negative (1st digit is 1).

This doesn't seem to be a problem when using C++ or Objective C (which
don't seem to enforce this SerialNumber condition as strictly).

We were able to regenerate the self-signed certificate to have a positive
serial number in our test environment & it worked. But, this solution is
not scalable, as it will affect all our existing setups.

Hence, we searched for provisions in the golang API, to override this
check. But, were unsuccessful.
As this seems to be an existing problem :
https://groups.google.com/forum/#!topic/golang-nuts/IYzJewF0HEY, http://code.google.com/p/go/issues/detail?id=8265

So, we opted for another solution. Since, golang is opensource, we
commented the Negative Serial Number Check in the source package
crypto/x509/x509.go. And, recompiled the packages using all.bash

Change made to : 'crypto/x509/x509.go'
__________________________________________________

func parseCertificate(in *certificate) (*Certificate, error) {
..
..


871 // if in.TBSCertificate.SerialNumber.Sign() < 0 {
872 // return nil, errors.New("x509: negative serial number")
873 // }

..
..

}

This solved our problem. And, the HTTPS communication was established from
our Linux Clients.


The following are my questions :

1. Will there be any repercussions, if we comment this check ?

2. Is there any provision for this in golang that we may have missed out ?
If not, is this there any chance for it to be brought up in the near future
?

3. Why is it that golang follows this strictly, while the older languages
neglect it ? (C++ & Objective C, as far as I know)



Thanks,
Rangaraj

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

  • Benjamin Thomas at Jul 8, 2015 at 1:57 pm
    Hello list,

    I ran into this issue myself trying to connect to HP printers over HTTPS.

    Recompiling go as suggested works but is very clunky IMO.

    Is there no other way to work around this issue?

    Le mardi 21 avril 2015 12:23:13 UTC+2, ksrang...@gmail.com a écrit :

    Hi,


    We have used golang 1.4 to create a Client on a Linux Machine.
    We came across an issue while attempting to communicate to our Windows
    Server using HTTPS.
    On analyzing, an error was thrown by the crypto/x509 package. The error
    was : 'x509: negative serial number'.

    We generate & use a self-signed certificate at the Server. It was found
    that the Serial Number of the Certificate was '*9*3:C0.....'.
    Since golang assigns SerialNumber as bit.Int (Signed). It considers this
    to be Negative (1st digit is 1).

    This doesn't seem to be a problem when using C++ or Objective C (which
    don't seem to enforce this SerialNumber condition as strictly).

    We were able to regenerate the self-signed certificate to have a positive
    serial number in our test environment & it worked. But, this solution is
    not scalable, as it will affect all our existing setups.

    Hence, we searched for provisions in the golang API, to override this
    check. But, were unsuccessful.
    As this seems to be an existing problem :
    https://groups.google.com/forum/#!topic/golang-nuts/IYzJewF0HEY, http://code.google.com/p/go/issues/detail?id=8265

    So, we opted for another solution. Since, golang is opensource, we
    commented the Negative Serial Number Check in the source package
    crypto/x509/x509.go. And, recompiled the packages using all.bash

    Change made to : 'crypto/x509/x509.go'
    __________________________________________________

    func parseCertificate(in *certificate) (*Certificate, error) {
    ..
    ..


    871 // if in.TBSCertificate.SerialNumber.Sign() < 0 {
    872 // return nil, errors.New("x509: negative serial number")
    873 // }

    ..
    ..

    }

    This solved our problem. And, the HTTPS communication was established from
    our Linux Clients.


    The following are my questions :

    1. Will there be any repercussions, if we comment this check ?

    2. Is there any provision for this in golang that we may have missed out ?
    If not, is this there any chance for it to be brought up in the near future
    ?

    3. Why is it that golang follows this strictly, while the older languages
    neglect it ? (C++ & Objective C, as far as I know)



    Thanks,
    Rangaraj
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Egon at Jul 8, 2015 at 2:05 pm

    On Wednesday, 8 July 2015 16:57:24 UTC+3, Benjamin Thomas wrote:
    Hello list,

    I ran into this issue myself trying to connect to HP printers over HTTPS.

    Recompiling go as suggested works but is very clunky IMO.

    Is there no other way to work around this issue?
    See issue https://github.com/golang/go/issues/8265

    The serial number MUST be positive per spec.
    Add comment to that issue that you've found an additional case.

    Le mardi 21 avril 2015 12:23:13 UTC+2, ksrang...@gmail.com a écrit :

    Hi,


    We have used golang 1.4 to create a Client on a Linux Machine.
    We came across an issue while attempting to communicate to our Windows
    Server using HTTPS.
    On analyzing, an error was thrown by the crypto/x509 package. The error
    was : 'x509: negative serial number'.

    We generate & use a self-signed certificate at the Server. It was found
    that the Serial Number of the Certificate was '*9*3:C0.....'.
    Since golang assigns SerialNumber as bit.Int (Signed). It considers this
    to be Negative (1st digit is 1).

    This doesn't seem to be a problem when using C++ or Objective C (which
    don't seem to enforce this SerialNumber condition as strictly).

    We were able to regenerate the self-signed certificate to have a positive
    serial number in our test environment & it worked. But, this solution is
    not scalable, as it will affect all our existing setups.

    Hence, we searched for provisions in the golang API, to override this
    check. But, were unsuccessful.
    As this seems to be an existing problem :
    https://groups.google.com/forum/#!topic/golang-nuts/IYzJewF0HEY, http://code.google.com/p/go/issues/detail?id=8265

    So, we opted for another solution. Since, golang is opensource, we
    commented the Negative Serial Number Check in the source package
    crypto/x509/x509.go. And, recompiled the packages using all.bash

    Change made to : 'crypto/x509/x509.go'
    __________________________________________________

    func parseCertificate(in *certificate) (*Certificate, error) {
    ..
    ..


    871 // if in.TBSCertificate.SerialNumber.Sign() < 0 {
    872 // return nil, errors.New("x509: negative serial number")
    873 // }

    ..
    ..

    }

    This solved our problem. And, the HTTPS communication was established
    from our Linux Clients.


    The following are my questions :

    1. Will there be any repercussions, if we comment this check ?

    2. Is there any provision for this in golang that we may have missed out
    ? If not, is this there any chance for it to be brought up in the near
    future ?

    3. Why is it that golang follows this strictly, while the older languages
    neglect it ? (C++ & Objective C, as far as I know)



    Thanks,
    Rangaraj
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Benjamin Thomas at Jul 8, 2015 at 7:54 pm
    Thanks for the feedback Egon, I commented on that issue as suggested.

    Le mercredi 8 juillet 2015 16:05:00 UTC+2, Egon a écrit :

    See issue https://github.com/golang/go/issues/8265

    The serial number MUST be positive per spec.
    Add comment to that issue that you've found an additional case.
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupgolang-nuts @
categoriesgo
postedApr 21, '15 at 10:23a
activeJul 8, '15 at 7:54p
posts4
users3
websitegolang.org

People

Translate

site design / logo © 2021 Grokbase