I'm +1 provided it works ________________________________ From: Zach Hoffman <[email protected]> Sent: Saturday, March 21, 2020 19:58 To: [email protected] <[email protected]> Subject: [EXTERNAL] Go version for TO
As Rawlin mentions in thread titled "Go version for components other than TO", Traffic Ops has issues communicating with Riak when built with Go versions 1.12 or higher. I looked a bit into why that is, and TO can successfully use TLS 1.1 to communicate with Riak instead of TLS 1.2 (the default). My update_go_1.13 branch includes the changes that are necessary to make this work: https://urldefense.com/v3/__https://github.com/zrhoffman/trafficcontrol/commits/update_go_1.13__;!!CQl3mcHX2A!RCMlh6CdvBPNXYzgJfE-E1gDtoe4iC23foCV_QYv4nYUH5AZMcaPxIIrb9a1dckh5ilA$ Let me explain why I am using TLS 1.1, and why TO using TLS 1.2 to communicate with Riak KV version 2.2.3 is not an option for Go versions 1.12 and higher. Riak KV 2.2.3 fails to work if the client sends it an unknown signature algorithm in the "hello" message of the TLS 1.2 handshake (see related Erlang bug from 2015: https://urldefense.com/v3/__https://github.com/erlang/otp/pull/767__;!!CQl3mcHX2A!RCMlh6CdvBPNXYzgJfE-E1gDtoe4iC23foCV_QYv4nYUH5AZMcaPxIIrb9a1dfdn5n6Z$ ). That is not an issue in Go 1.11, which luckily uses signature algorithms ( https://urldefense.com/v3/__https://go.googlesource.com/go/*/refs/tags/go1.11.13/src/crypto/tls/common.go*138__;KyM!!CQl3mcHX2A!RCMlh6CdvBPNXYzgJfE-E1gDtoe4iC23foCV_QYv4nYUH5AZMcaPxIIrb9a1dTU4FEk_$ ) that are all known to Riak. In Go 1.12 (specifically in commit https://urldefense.com/v3/__https://go.googlesource.com/go/*/ee7e443389__;Kw!!CQl3mcHX2A!RCMlh6CdvBPNXYzgJfE-E1gDtoe4iC23foCV_QYv4nYUH5AZMcaPxIIrb9a1deVtU3kM$ ), signature algorithms are added that are unknown to Riak, so TLS 1.2 cannot be used in Go versions >= 1.12 without patching the crypto/tls package, because the list of signature algorithms sent to the server is hard-coded (see: https://urldefense.com/v3/__https://go.googlesource.com/go/*/refs/tags/go1.13.9/src/crypto/tls/handshake_client.go*116__;KyM!!CQl3mcHX2A!RCMlh6CdvBPNXYzgJfE-E1gDtoe4iC23foCV_QYv4nYUH5AZMcaPxIIrb9a1ddup24QL$ ). On a side note, a proposal was accepted that lets you configure supported signature algorithms (https://urldefense.com/v3/__https://github.com/golang/go/issues/28660__;!!CQl3mcHX2A!RCMlh6CdvBPNXYzgJfE-E1gDtoe4iC23foCV_QYv4nYUH5AZMcaPxIIrb9a1dXRwH9b-$ , implemented in https://urldefense.com/v3/__https://go.googlesource.com/go/*/5b17b65750__;Kw!!CQl3mcHX2A!RCMlh6CdvBPNXYzgJfE-E1gDtoe4iC23foCV_QYv4nYUH5AZMcaPxIIrb9a1dcSkJLhi$ ), which lets you choose the signature algorithm used for the TLS session. That is different than the signature algorithm used in the handshake. This makes TLS 1.1 the highest TLS version that can be used by Go versions 1.12 and higher to communicate with Riak KV 2.2.3, because signature algorithms are a TLS 1.2 addition. Does anyone have thoughts about updating the version of Go used to compile Traffic Ops (and potentially the other components) and opting for TLS 1.1 for TO~Riak communication? -Zach
