Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default TLS cert uses negative serial number #895

Open
sblackstone opened this issue Aug 27, 2024 · 3 comments
Open

Default TLS cert uses negative serial number #895

sblackstone opened this issue Aug 27, 2024 · 3 comments

Comments

@sblackstone
Copy link

sblackstone commented Aug 27, 2024
edited
Loading

The default certificate created by the docker container sometimes contains a negative serial number.

A TLS certificate with a negative serial number is invalid, although some software has historically tolerated this.

As of Golang 1.23, x509.ParseCertificate explicitly rejects these certificates, this impacts microsoft/go-mssqldb such that it can no longer connect to the docker container due to the the invalid certificate.

I think the proper place to fix this is in the docker repo, a TLS cert with an invalid serial number is not a valid TLS cert.

See: https://tip.golang.org/doc/go1.23#cryptox509pkgcryptox509
@giautm
Copy link

giautm commented Aug 27, 2024
edited
Loading

Hey @sblackstone, I have the same issue here. However I noticed that the issue happens randomly during the boot process of the container, sometimes it generates the correct serial number and the client can connect to it.

Do we have any way to workaround before this issue gets fixed? Like runs the command to re-generate certs or provide a custom via mount.

Related: microsoft/go-mssqldb#217

@giautm giautm mentioned this issue Aug 27, 2024
Closed
@sblackstone
Copy link
Author

sblackstone commented Aug 27, 2024
edited
Loading

Hey @sblackstone, I have the same issue here. However I noticed that the issue happens randomly during the boot process of the container, sometimes it generates the correct serial number and the client can connect to it.

Do we have any way to workaround before this issue gets fixed? Like runs the command to re-generate certs or provide a custom via mount.

Related: microsoft/go-mssqldb#217

I created my own cert as part of a custom image.

RUN openssl req -x509 -nodes -newkey rsa:2048 -subj '/CN=mssql' -addext "subjectAltName = DNS:mssql" -keyout /etc/ssl/private/mssql.key -out /etc/ssl/certs/mssql.pem -days 365
RUN chmod 400 /etc/ssl/private/mssql.key
RUN chmod 400 /etc/ssl/certs/mssql.pem
RUN mkdir -p /var/opt/mssql
COPY mssql.conf /var/opt/mssql/mssql.conf

and mssql.conf looks like:

[network]
tlscert = /etc/ssl/certs/mssql.pem
tlskey = /etc/ssl/private/mssql.key
tlsprotocols = 1.2
forceencryption = 1

@giautm
Copy link

giautm commented Sep 4, 2024
edited
Loading

To workaround after upgrade to go1.23, we can enable the x509negativeserial setting using godebug directive in the go.mod file.

go 1.23

godebug (
	x509negativeserial=1
)

@sigilioso sigilioso mentioned this issue Sep 12, 2024
Merged
@yp05327 yp05327 mentioned this issue Sep 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sblackstone @giautm