Default TLS cert uses negative serial number #895
Comments
|
Hey @sblackstone, I have the same issue here. However I noticed that the issue happens randomly during the boot process of the container, sometimes it generates the correct serial number and the client can connect to it. Do we have any way to workaround before this issue gets fixed? Like runs the command to re-generate certs or provide a custom via mount. Related: microsoft/go-mssqldb#217 |
I created my own cert as part of a custom image. and mssql.conf looks like: |
|
To workaround after upgrade to go1.23, we can enable the go 1.23
godebug (
x509negativeserial=1
) |
See microsoft/go-mssqldb#217 , microsoft/mssql-docker#895 The mssql tests currently fail with the error:"TLS Handshake failed: tls: failed to parse certificate from server: x509: negative serial number"
Not sure why the asus certs have a negative serial number but they do. If the asus box had that others might too, so we should better support it. The alternative would be to generate certs with positive serial number for the tests. https://github.com/golang/go/blob/master/src/crypto/x509/parser.go#L1014-L1018 microsoft/mssql-docker#895 (comment) Signed-off-by: Dimitris Karakasilis <[email protected]>
Not sure why the asus certs have a negative serial number but they do. If the asus box had that others might too, so we should better support it. The alternative would be to generate certs with positive serial number for the tests. https://github.com/golang/go/blob/master/src/crypto/x509/parser.go#L1014-L1018 microsoft/mssql-docker#895 (comment) Signed-off-by: Dimitris Karakasilis <[email protected]>
Not sure why the asus certs have a negative serial number but they do. If the asus box had that others might too, so we should better support it. The alternative would be to generate certs with positive serial number for the tests. https://github.com/golang/go/blob/master/src/crypto/x509/parser.go#L1014-L1018 microsoft/mssql-docker#895 (comment) Signed-off-by: Dimitris Karakasilis <[email protected]>
* Port genkey command from enki as part of kairos-io/kairos#1633 Signed-off-by: Dimitris Karakasilis <[email protected]> * Port genkey e2e test and don't use viper Signed-off-by: Dimitris Karakasilis <[email protected]> * Run the genkey tests in CI Signed-off-by: Dimitris Karakasilis <[email protected]> * Allow certs with negative serial numbers Not sure why the asus certs have a negative serial number but they do. If the asus box had that others might too, so we should better support it. The alternative would be to generate certs with positive serial number for the tests. https://github.com/golang/go/blob/master/src/crypto/x509/parser.go#L1014-L1018 microsoft/mssql-docker#895 (comment) Signed-off-by: Dimitris Karakasilis <[email protected]> * Remove focus Signed-off-by: Dimitris Karakasilis <[email protected]> --------- Signed-off-by: Dimitris Karakasilis <[email protected]>
The default certificate created by the docker container sometimes contains a negative serial number.
A TLS certificate with a negative serial number is invalid, although some software has historically tolerated this.
As of Golang 1.23,
x509.ParseCertificateexplicitly rejects these certificates, this impactsmicrosoft/go-mssqldbsuch that it can no longer connect to the docker container due to the the invalid certificate.I think the proper place to fix this is in the docker repo, a TLS cert with an invalid serial number is not a valid TLS cert.
See: https://tip.golang.org/doc/go1.23#cryptox509pkgcryptox509
The text was updated successfully, but these errors were encountered: