Golang问题 x509: 无法验证签名: 在net/http上未实现的算法

huangapple go评论89阅读模式
英文:

Golang issue x509: cannot verify signature: algorithm unimplemented on net/http

问题

我正在写一个非常简单的 Golang 脚本,并使用这个库 golang-jenkins 来连接我们内部的 HTTPS 服务器。但是我遇到了以下的 x509 证书问题,不确定如何处理这个 x509 证书问题。我们的团队无法访问 Jenkins,想知道还有什么其他方法可以进一步了解这个问题。

使用 curl:

$ curl -v "https://jenkins.mydomain.com/api/json"
* Adding handle: conn: 0x7f8469004000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f8469004000) send_pipe: 1, recv_pipe: 0
* About to connect() to jenkins.mydomain.com port 443 (#0)
*   Trying 10.38.8.70...
* Connected to jenkins.mydomain.com (10.38.8.70) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: jenkins.mydomain.com
* Server certificate: MyDomain Server CA - 2014
* Server certificate: MyDomain Internal Root CA
> GET /api/json HTTP/1.1
> User-Agent: curl/7.30.0
> Host: jenkins.mydomain.com
> Accept: */*
> 
< HTTP/1.1 200 OK
* Server nginx is not blacklisted
< Server: nginx
< Date: Tue, 29 Jul 2014 05:03:45 GMT
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: JSESSIONID.214ca1a4=1ry000odf815goiv7vl8tr627;Path=/;Secure
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Jenkins: 1.554.3
< X-Jenkins-Session: c660ff91
英文:

I was writing a very simple Golang script and use this library golang-jenkins to connect with our internal HTTPS server. But I face the following x509 cert issue and wasn't sure what to do with the x509 cert problem. Our team has zero access to Jenkins and would like to know what else we can do to dig more about the issue.

$ go run jenkins.go 
2014/07/28 22:00:29 [] Get https://jenkins.mydomain.com/api/json: x509: certificate signed by unknown authority (possibly because of &quot;x509: cannot verify signature: algorithm unimplemented&quot; while trying to verify candidate authority certificate &quot;MyDomain Internal Root CA&quot;)

using curl:

$ curl -v &quot;https://jenkins.mydomain.com/api/json&quot;
* Adding handle: conn: 0x7f8469004000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f8469004000) send_pipe: 1, recv_pipe: 0
* About to connect() to jenkins.mydomain.com port 443 (#0)
*   Trying 10.38.8.70...
* Connected to jenkins.mydomain.com (10.38.8.70) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: jenkins.mydomain.com
* Server certificate: MyDomain Server CA - 2014
* Server certificate: MyDomain Internal Root CA
&gt; GET /api/json HTTP/1.1
&gt; User-Agent: curl/7.30.0
&gt; Host: jenkins.mydomain.com
&gt; Accept: */*
&gt; 
&lt; HTTP/1.1 200 OK
* Server nginx is not blacklisted
&lt; Server: nginx
&lt; Date: Tue, 29 Jul 2014 05:03:45 GMT
&lt; Content-Type: application/json;charset=UTF-8
&lt; Transfer-Encoding: chunked
&lt; Connection: keep-alive
&lt; Set-Cookie: JSESSIONID.214ca1a4=1ry000odf815goiv7vl8tr627;Path=/;Secure
&lt; Expires: Thu, 01 Jan 1970 00:00:00 GMT
&lt; X-Jenkins: 1.554.3
&lt; X-Jenkins-Session: c660ff91

答案1

得分: 7

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256在Go中目前存在问题,将在v1.4中得到支持,唯一的解决方法是降级TLS的MaxVersion。

快速查看golang-jenkins,它不允许指定要使用的http.Client,而是使用http.DefaultClient,降级TLS的MaxVersion的唯一丑陋的方法是覆盖http.DefaultClient.Transport

在尝试连接到任何内容之前,您应该能够在func init()中执行以下操作:

cfg := &tls.Config{
    MaxVersion:               tls.VersionTLS11, // 如果这个不起作用,请尝试tls.VersionTLS10
    PreferServerCipherSuites: true,
}

http.DefaultClient.Transport = &http.Transport{
    TLSClientConfig: cfg,
}

请记住,这将为直接使用http.DefaultClient的任何内容设置传输,例如http.Get,但是如果您使用自己的实例,那么就没问题。

关于该错误的讨论:https://groups.google.com/forum/#!topic/golang-nuts/oK3EBAY2Uig

英文:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is currently broken in Go, it will be supported in v1.4, the only workaround is to downgrade the TLS MaxVersion.

A quick look at golang-jenkins, it doesn't allow specifying the http.Client to use and just uses http.DefaultClient, the only ugly way to downgrade TLS's MaxVersion is to override http.DefaultClient.Transport.

You should be able to do something like this in func init() before you try to connect to anything:

cfg := &amp;tls.Config{
	MaxVersion:               tls.VersionTLS11, // try tls.VersionTLS10 if this doesn&#39;t work
	PreferServerCipherSuites: true,
}

http.DefaultClient.Transport = &amp;http.Transport{
	TLSClientConfig: cfg,
}

Keep in mind this will set the transport for anything that uses http.DefaultClient directly, like http.Get, however if you use your own instance, you will be fine.

Discussion about the bug: https://groups.google.com/forum/#!topic/golang-nuts/oK3EBAY2Uig

huangapple
  • 本文由 发表于 2014年7月29日 13:10:08
  • 转载请务必保留本文链接:https://go.coder-hub.com/25008571.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定