Skip to content

proposal: crypto/x509: Allow to pass flags to syscall.CertGetCertificateChain, when using TLS Transport under Windows #63238

New issue
New issue
Open
Open
proposal: crypto/x509: Allow to pass flags to syscall.CertGetCertificateChain, when using TLS Transport under Windows#63238
Labels
NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.OS-WindowsProposalProposal-CryptoProposal related to crypto packages or other security issues
Milestone
 
Proposal
@jkroepke

Description

@jkroepke
jkroepke
opened on Sep 26, 2023

Before writing the proposal here, I ask the community. However we found no solution for this issue.

Ref: https://stackoverflow.com/questions/77098977/disable-certificate-revocation-check-for-specific-https-connections-on-windows

I'm working on a internet restricted environment. Since our internal services we are using Let's Encrypt certificates to avoid the overhead with an internal PKI.

I'm writing a go program which collects informations from all systems and sent the data to a central system. While this works fine for Linux systems, have I have trouble on Windows system.

It seems like that go is using the os native libraries to establish a secured connection for HTTPS requests.

With using the program below

package main

import (
    "fmt"
    "io"
    "log"
    "net/http"
    "os"
)

func main() {
    resp, err := http.Get(os.Args[1])
    if err != nil {
        log.Fatalln(err)
    }

    defer resp.Body.Close()
    htmlData, err := io.ReadAll(resp.Body)
    if err != nil {
        log.Fatalln(err)
        return
    }
    fmt.Printf("%v\n", resp.Status)
    fmt.Printf(string(htmlData))
}

I got this

2023/09/13 16:19:03 Get "https://google.de": net/http: TLS handshake timeout

It seems like the native libraries tries to contact the CRLs (which are not allowed) and the connection fails here. I inspect the traffic with Wireshark and see HTTP connection to r3.c.lencr.org with User-Agent CryptoAPI.

I also can verify such behavior, if I'm using curl

curl https://google.de
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

However curl has the option --ssl-no-revoke to skip the specific revoke check. Running curl with the option works fine.

Looking at the source code of CURL

https://github.com/curl/curl/blob/8e74c0729d0cace00a202fc6c33c1b35703e220a/lib/vtls/schannel.c#L474-L492

they are passing flags like

  • SCH_CRED_IGNORE_REVOCATION_OFFLINE (When checking for revoked certificates, ignore CRYPT_E_REVOCATION_OFFLINE errors. For additional restrictions, see Remarks.)

Source: https://learn.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred

I would like have an option the set the flag on go, too.

Also RUST has the support to define such os native flags https://github.com/rust-lang/cargo/blob/3ea3c3a27f49f4926ff32befe48f8b652cd755b2/src/cargo/sources/git/oxide.rs#L291

Metadata

Metadata

Assignees

No one assigned

    Labels

    NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.OS-WindowsProposalProposal-CryptoProposal related to crypto packages or other security issues

    Type

    No type

    Projects

    Proposals

    Status

    Incoming

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions