[go-nuts] TLS negotiation bug in go1.21.4?

As you can see in the below output from pprof, the golang TLS implementation seems to be in some kind of tight loop in crypto/internal/bigmod.addMulVVW2048 causing CPU starvation, wherein the net.HTTP server stops calling my request handler. Eventually the TLS handshakes fail, and the connectio

[go-nuts] TLS 1.3 Implementation Ignores Key Usage

Doing some work with TLS 1.3 in both Go and Java, I recently found that Go ignores Key Usage status flags . On the other hand, Java's implementation checks key usage following the RFC. I'm thinking in particular abou

[go-nuts] tls panic inside /usr/local/go/src/crypto/tls/conn.go

panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x5d073c] goroutine 4133611 [running]: crypto/tls.(*Conn).handshakeContext.func2() /usr/local/go/src/crypto/tls/conn.go:1441 +0xbc created by crypto/tls.(*Conn).ha

[go-nuts] TLS validation: implement OCSP and CRL verifiers in Go

HI! Let us introduce you a new article written by Cossack Labs data security engineers for dev community. This time we explore OCSP and CRL as certificate validation approaches, TLS extensions that define them, and a simple Golang implementation. The article will be of help to Golang develope

[go-nuts] TLS ticket based session resumption

Hello, Is there any sample code for both client side and server side to demonstrate the TLS ticket based session resumption? I took a look at the tests in handshake_client_test.go, it just calls the "handshake" method twice. What does the TLS session resumption work in real case scenario? Tha

[go-nuts] TLS Handshake Failure Logging

Hi Gophers! Is there a way to get the subject of a client cert when the TLS handshake fails? We are getting spammed with TLS handshake errors and there is no easy way to see what clients are trying to authenticate. The remote address in the log is the load balancer IP. Ideally, we’d like to l

Re: [go-nuts] TLS dial error pkg variables - Best way to logically detect the type of tls failure

On 2020-06-08 01:49, Matt Harden wrote: > I suspect your (possibly wrapped) error will be of type > x509.UnknownAuthorityError, so you should be able to check for it with > errors.As: > > var uaerr x509.UnknownAuthorityError > if errors.As(err, &uaerr) { >   // handle as an unknown authority erro

Re: [go-nuts] TLS dial error pkg variables - Best way to logically detect the type of tls failure

I suspect your (possibly wrapped) error will be of type x509.UnknownAuthorityError, so you should be able to check for it with errors.As: var uaerr x509.UnknownAuthorityError if errors.As(err, &uaerr) { // handle as an unknown authority error } On Tue, Jun 2, 2020 at 8:22 AM Kevin Chadwick wro

[go-nuts] TLS dial error pkg variables - Best way to logically detect the type of tls failure

I want my client application to behave differently depending upon whether the server is down or it is a "x509: certificate signed by unknown authority" condition. It seems there isn't an errors.Is (btw the dot syntax makes it difficult to google search!) I intend to just string match the returne

[go-nuts] TLS connection cannot be used after timeout of "SetDealine"

Hi Gophers, I have client code which test network transfer performance per second. For that I use "conn.SetDeadline(time.Second)". The performance testing is performed in a loop ot 5 rounds where each round sets a "SetDeadline" and then d a io.Copy/ZeroReader to the server and count the transfe

[go-nuts] TLS Cipher suites TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8

Hi, does golang support TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 ? -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view thi

Re: [go-nuts] tls: unsupported SSLv2 handshake received

[ +filippo ] On Tue, Sep 17, 2019 at 1:14 AM Prabhash Rathore wrote: > > Hello, > > We run one of the large volume MTA (Mail Transfer Agent) servers which is > responsible for receiving emails from internet. This SMTP server is > implemented in Golang. > > We notice around 2% of TLS connections

[go-nuts] tls: unsupported SSLv2 handshake received

Hello, We run one of the large volume MTA (Mail Transfer Agent) servers which is responsible for receiving emails from internet. This SMTP server is implemented in Golang. We notice around 2% of TLS connections (clients use Starttls to upgrade plain connection to TLS) fail with following error

[go-nuts] TLS Trusted Certificate Authority (TCA) Extension Support

Bare with me on this, as I explain where I'm coming from and where I'm trying to go. We've integrated Go into our code base as a separate service that communicates with some server code through TLS. For the most part, this worked flawlessly through Go 1.10. We were affected by some of the Go 1.

[go-nuts] TLS mutual auth: trusting a single client certificate?

Hi As far as I understand, you can set this function VerifyPeerCertificate in the tls config and then verify the thumbprint of the client certificate. This method is only called, when the client has a valid certificate. Cheers Sandro -- You received this message because you are subscribed to

[go-nuts] TLS mutual auth: trusting a single client certificate?

Hi! I've had a successful TLS mutual authentication client/server setup in Go for a while, but now looking to make some small tweaks. Specifically, I'm wondering if there is a way to require only a specific client certificate for mutual auth. I'm currently using something like this: // Load

Re: [go-nuts] tls field in struct m

On Tue, Oct 31, 2017 at 11:43 AM, wrote: > > I have one question about tls field in the m struct. > > I see fs:0FFF8h is storing the pointer to current g which is the > first element in tls field. > > In the m struct. tls is an six elements pointer array. I see the last five > has 0 v

[go-nuts] tls field in struct m

Hi All, I have one question about tls field in the m struct. I see fs:0FFF8h is storing the pointer to current g which is the first element in tls field. In the m struct. tls is an six elements pointer array. I see the last five has 0 value in it. I wonder what are these 5 element

Re: [go-nuts] TLS server to save client certificates after a request is received

The certificate byte stream is available in the Raw field of the Certificate struct. You can for example output received certificates PEM encoded like this: for _, c := range r.TLS.PeerCertificates { pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: c.Raw}) } Or you can just save

[go-nuts] TLS server to save client certificates after a request is received

Hi, I need to store the client certificates in a file for further authentication purpose but I am not able to re-form the client certificates. TLS.PeerCertificates has information related to client certificates but it is separated by struct fields and is not present as byte stream which could b

[go-nuts] tls: Optional client certificate authentication with VerifyClientCertIfGiven

Hi, I've a legacy application at hand that has a nginx as TLS offloader in front of it. Besides a simple frontend the application offers an API including a PKI infrastructure (CSRs are pushed to server, signed CRTs are returned). The nginx is configured to optionally request a client certific

[go-nuts] TLS handshake through net.Pipe()

I am writing some test code where I am creating `tls.Server()` and `tls.Client()` using the `Conn` pair returned by `net.Pipe()`. I have a few positive tests (where the Handshakes are expected to succeed) and a few negative tests (where the Handshakes are expected to fail). Each test sets up a `tls

Re: [go-nuts] TLS

On Mon, Jun 27, 2016 at 9:42 AM, Konstantin Khomoutov wrote: > Sure, the standard package crypto/tls has tests, and your installation > of Go comes with full source code of the Go standard library. Reading the source is not the same as documentation or examples; please don't confuse the two. This

Re: [go-nuts] TLS

On Mon, 27 Jun 2016 20:04:52 +0600 Oleg Puchinin wrote: > Thank you, Dave ! > Mybe you have simple sample for my ? > Server and client initialization. Sure, the standard package crypto/tls has tests, and your installation of Go comes with full source code of the Go standard library. -- You rec

Re: [go-nuts] TLS

Thank you, Dave ! Mybe you have simple sample for my ? Server and client initialization. Oleg. 2016-06-27 16:53 GMT+06:00 Dave Cheney : > tls.Dial is what you should use. It's the same as net.Dial, except it > expects the remote end to speak TLS. > > On Monday, 27 June 2016 20:48:06 UTC+10, Oleg

Re: [go-nuts] TLS

tls.Dial is what you should use. It's the same as net.Dial, except it expects the remote end to speak TLS. On Monday, 27 June 2016 20:48:06 UTC+10, Oleg Puchinin wrote: > > I want connect to my TCP server from my client use tls. > > 2016-06-27 16:44 GMT+06:00 Dave Cheney >: > >> If you want to ma

Re: [go-nuts] TLS

I want connect to my TCP server from my client use tls. 2016-06-27 16:44 GMT+06:00 Dave Cheney : > If you want to make a connection to a server take speaks TLS, you can use > https://godoc.org/crypto/tls#Dial > > If you want to make a connection to a web server that uses HTTPS, the > net/http pac

Re: [go-nuts] TLS

If you want to make a connection to a server take speaks TLS, you can use https://godoc.org/crypto/tls#Dial If you want to make a connection to a web server that uses HTTPS, the net/http package does this automatically for you. If you can share some more details about what you are trying to do,

[go-nuts] TLS

Hello ! How to start use tls for TCP connection ? Oleg. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more option