agent icon indicating copy to clipboard operation
agent copied to clipboard
verified publisher icon grafana

Support/embed go x509 fallback roots

Open jkroepke opened this issue 2 years ago • 4 comments

Request

Go 1.20 and higher provides an fallback for x509 certificate validation, if system pool does not provide the correct certificates.

This can be enabled by import

import _ "golang.org/x/crypto/x509roots/fallback"

Ref: https://pkg.go.dev/golang.org/x/crypto/x509roots/fallback

The usage for the fallback root can be enforced with GODEBUG=x509usefallbackroots=1.

Use case

I have some windows servers where I'm unable to use the system verifier to validate ssl connections.

Ref: https://github.com/golang/go/issues/63238

Define an own Truststore is the workaround for the issue above. It sounds great, if go directly maintains an own embedded trust store out of the box.

jkroepke avatar Dec 19 '23 01:12 jkroepke

Hello there Jan-Otto 👋 Happy new year!

I'm looking forward to see how the upstream golang/go issue progresses, but wanted to ask if you're still blocked on this, and what the fix could look like. Would it be embedding the x509roots so you can build the Agent using the custom GODEBUG flag?

tpaschalis avatar Jan 12 '24 11:01 tpaschalis

Hey!

reading https://go.googlesource.com/go/+/master/src/crypto/x509/root.go?autodive=0%2F%2F#38 ,

import _ "golang.org/x/crypto/x509roots/fallback"

Should sufficient to resolve the issue. No more settings are required to expose. GODEBUG=x509usefallbackroots=1 is a run time variable, not a build-time variable. If I set GODEBUG=x509usefallbackroots=1 on agent start, the go runtime should not use the system verifiers anymore, instead it would use the embedded certificate chain provided by x509roots.

jkroepke avatar Jan 12 '24 13:01 jkroepke

This issue has not had any activity in the past 30 days, so the needs-attention label has been added to it. If the opened issue is a bug, check to see if a newer release fixed your issue. If it is no longer relevant, please feel free to close this issue. The needs-attention label signals to maintainers that something has fallen through the cracks. No action is needed by you; your issue will be kept open and you do not have to respond to this comment. The label will be removed the next time this job runs if there is new activity. Thank you for your contributions!

github-actions[bot] avatar Feb 13 '24 00:02 github-actions[bot]

unstable

jkroepke avatar Feb 13 '24 11:02 jkroepke

Hey there Jan-Otto! Since we've merged https://github.com/grafana/agent/pull/6340, I'm closing this as completed. Let us know if there's anything else around this issue!

tpaschalis avatar Feb 20 '24 09:02 tpaschalis