Thanks for the additional info Jim. thanks! in our case it's a unit test that we could control, but we just got worried about things in the wild like your case for sure when we ship a go1.18 based kubectl.
thanks, Dims On Mon, Mar 28, 2022 at 8:41 PM Jim Idle <j...@idle.ws> wrote: > Yes - look like it is for slightly different reasons. Apple have decided > on a new policy for verifying certificates and the certificate must have > either two (younger certs) or three (older certs) valid SCTs. I suspect > that you could re-issue your cert to comply with this, but I am not sure > about your mechanism for this. It seems though that even if Go 1.18 was > patched to let such a failure through - and it isn’t clear that it should > be, as per the TODO - that it would not help with AWS as it seems that they > don’t have ANY SCTs in their certificates. AWS will have have to re-issue > probably all their certificates, which leaves some of us a bit screwed for > a while. > > This isn’t my area of expertise, but it seems that perhaps Apple have been > a bit too aggressive on this. I hazard a guess that what they have > implemented is likely correct, but if a company such as Apple makes such a > change, I think they should have made more noise about it, so that other > companies knew about the change. > > So, a combination of OSX 12.3 with Go 1.18 will trigger this, unless you > have the ability to re-issue certificates with the requisite number of > SCTs. I have no control over most AWS certificates - they are issued by > AWS, for AWS. So now, I will have to ask AWS if they can do anything about > it. But I can’t see them re-issuing certificates for all their myriad > services, overnight. > > Jim > > PS: I quote the ticket you raised, in case it is useful to others: > > https://github.com/golang/go/issues/51991 > > > On Mar 29, 2022 at 2:48:34 AM, Davanum Srinivas <dava...@gmail.com> wrote: > >> Jim, >> >> Looks like we ended up seeing the same problem in a kubernetes test case >> as well: >> https://github.com/kubernetes/kubernetes/issues/108956 >> >> -- Dims >> >> On Thu, Mar 24, 2022 at 2:09 AM Jim Idle <j...@idle.ws> wrote: >> >>> Having just upgraded to 1.18, I find that quite a few encrypted >>> connections, for instance https to a Neptune instance on AWS, now fail with: >>> >>> x509: “*.xxxxxxxxx.neptune.amazonaws.com” certificate is not standards >>> compliant >>> >>> It seems to be related to this comment: >>> >>> >>> https://cs.opensource.google/go/go/+/master:src/crypto/x509/root_darwin.go;l=52 >>> >>> I don’t immediately see anything on how to get around this via google >>> searches, though I see some changelists concerning x509 for 1.18. I am not >>> able to change the Neptune certificate, which may indeed not be quite >>> standards compliant, as the error message suggests. However, it is not just >>> Neptune - I see some people having issues with redid for instance. >>> >>> Apologies if this has been addressed somewhere that I have not found. >>> Perhaps with more time, I will find some workaround or solution, but I >>> thought asking here may help. >>> >>> Any input/workarounds appreciated, as well as any insight into the >>> reason for change. >>> >>> Jim >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "golang-nuts" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to golang-nuts+unsubscr...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/golang-nuts/CAGPPfg-PtW7dqeNKo72fvLsLZ1Qg2i_AwmUBJcTGMNgeHUhfCA%40mail.gmail.com >>> <https://groups.google.com/d/msgid/golang-nuts/CAGPPfg-PtW7dqeNKo72fvLsLZ1Qg2i_AwmUBJcTGMNgeHUhfCA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Davanum Srinivas :: https://twitter.com/dims >> > -- Davanum Srinivas :: https://twitter.com/dims -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CANw6fcHvnb0W_0_myoC75N%3DfKK4fN3CHJKSPFqay5UPn-c6JUw%40mail.gmail.com.
