Yes - look like it is for slightly different reasons. Apple have decided on a new policy for verifying certificates and the certificate must have either two (younger certs) or three (older certs) valid SCTs. I suspect that you could re-issue your cert to comply with this, but I am not sure about your mechanism for this. It seems though that even if Go 1.18 was patched to let such a failure through - and it isn’t clear that it should be, as per the TODO - that it would not help with AWS as it seems that they don’t have ANY SCTs in their certificates. AWS will have have to re-issue probably all their certificates, which leaves some of us a bit screwed for a while.
This isn’t my area of expertise, but it seems that perhaps Apple have been a bit too aggressive on this. I hazard a guess that what they have implemented is likely correct, but if a company such as Apple makes such a change, I think they should have made more noise about it, so that other companies knew about the change. So, a combination of OSX 12.3 with Go 1.18 will trigger this, unless you have the ability to re-issue certificates with the requisite number of SCTs. I have no control over most AWS certificates - they are issued by AWS, for AWS. So now, I will have to ask AWS if they can do anything about it. But I can’t see them re-issuing certificates for all their myriad services, overnight. Jim PS: I quote the ticket you raised, in case it is useful to others: https://github.com/golang/go/issues/51991 On Mar 29, 2022 at 2:48:34 AM, Davanum Srinivas <dava...@gmail.com> wrote: > Jim, > > Looks like we ended up seeing the same problem in a kubernetes test case > as well: > https://github.com/kubernetes/kubernetes/issues/108956 > > -- Dims > > On Thu, Mar 24, 2022 at 2:09 AM Jim Idle <j...@idle.ws> wrote: > >> Having just upgraded to 1.18, I find that quite a few encrypted >> connections, for instance https to a Neptune instance on AWS, now fail with: >> >> x509: “*.xxxxxxxxx.neptune.amazonaws.com” certificate is not standards >> compliant >> >> It seems to be related to this comment: >> >> >> https://cs.opensource.google/go/go/+/master:src/crypto/x509/root_darwin.go;l=52 >> >> I don’t immediately see anything on how to get around this via google >> searches, though I see some changelists concerning x509 for 1.18. I am not >> able to change the Neptune certificate, which may indeed not be quite >> standards compliant, as the error message suggests. However, it is not just >> Neptune - I see some people having issues with redid for instance. >> >> Apologies if this has been addressed somewhere that I have not found. >> Perhaps with more time, I will find some workaround or solution, but I >> thought asking here may help. >> >> Any input/workarounds appreciated, as well as any insight into the reason >> for change. >> >> Jim >> >> -- >> You received this message because you are subscribed to the Google Groups >> "golang-nuts" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to golang-nuts+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/golang-nuts/CAGPPfg-PtW7dqeNKo72fvLsLZ1Qg2i_AwmUBJcTGMNgeHUhfCA%40mail.gmail.com >> <https://groups.google.com/d/msgid/golang-nuts/CAGPPfg-PtW7dqeNKo72fvLsLZ1Qg2i_AwmUBJcTGMNgeHUhfCA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > Davanum Srinivas :: https://twitter.com/dims > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAGPPfg_FTFPLk6Rq577YFLNK_3D8qYWdkDhDQgzRjfOTqhMbBw%40mail.gmail.com.
