I don't know enough of your operational context, but for some organizations, someone hitting your servers with old certs like that could be considered a potentially malicious attack, and "working around it" by turning off the check might expose you to deeper vulnerabilities--that you might better wish to avoid.
On Thursday, June 12, 2025 at 4:42:01 AM UTC+1 Jason E. Aten wrote: > Maybe the TLS clients are providing certs too, and those are old? > > On Thursday, June 12, 2025 at 4:33:55 AM UTC+1 Jason E. Aten wrote: > >> https://pkg.go.dev/crypto/x509#ParseCertificate >> >> >> https://stackoverflow.com/questions/79061981/failed-to-parse-certificate-from-server-x509-negative-serial-number >> >> >> https://cs.opensource.google/go/go/+/refs/tags/go1.24.4:src/crypto/x509/parser.go;l=926 >> >> says >> >> serial := new(big.Int) >> if !tbs.ReadASN1Integer(serial) { >> return nil, errors.New("x509: malformed serial number") >> } >> if serial.Sign() == -1 { >> if x509negativeserial.Value() != "1" { >> return nil, errors.New("x509: negative serial number") >> } >> >> so you could run tbs.ReadASN1Integer >> on your certs serial numbers to see which if any are old... >> >> var tbs cryptobyte.String seems to imply it is using >> "golang.org/x/crypto/cryptobyte" >> so that code would be, in the v0.39.0 version, >> >> https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.39.0:cryptobyte/asn1.go;l=273 >> >> >> On Wednesday, June 11, 2025 at 10:36:55 PM UTC+1 David Karr wrote: >> >>> This may be better asked in a k8s forum, but I'm not aware of a good >>> one, and as I've never seen this anywhere but in Go applications, perhaps >>> someone here will know about this. >>> >>> In our enterprise, we have a bunch of k8s clusters. I have a bunch of >>> Go code using the k8s client api to get data from those clusters. For some >>> reason, when I attempt to connect to some of those clusters, I get a >>> "negative serial number" error. After some digging, I found that adding >>> "godebug (x509negativeserial=1)" to your go.mod will work around this >>> problem. >>> >>> The thing is, I also wrote some code that examines the cluster cert and >>> its serial number, and in the cases where I've gotten this error, I've >>> never found a serial number that was negative. Perhaps it's negative if >>> it's assumed to be a limited number of bits? I have no idea. >>> >>> I also saw this error today when someone tried to run "helm" to get >>> something on an external web site, and after I did "export >>> GODEBUG=x509negativeserial=1", that resolved that problem. >>> >>> Anyone know anything about this? >>> >> -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/397a7b61-a21f-4d5e-9f0c-4b85a2fa116fn%40googlegroups.com.
