Summary - Trying Boring Go in FIPS mode to connect to Microsoft services
(Azure). Intermediate CA Certificate for Microsoft has a 4096 bit public
key that is not allowed by Boring Go (Code here
<https://github.com/golang/go/blob/2b0d842f4b24b3be4bcf02c7a796e3a4d3d952f6/src/crypto/tls/boring.go#L98>
), Is there any workaround without having to turn off FIPS mode ?
go version go1.14b4 linux/amd64
Hi all,
So I am working on an application that requires to be run in FIPS mode and
has to connect to Azure services. I looked up the boring Go branch, got
version 1.14 and started using it.
While trying to connect to Azure services (for eg.
graph[dot]microsoft[dot]com or even microsoft[dot]com), I was getting an
incompatible certificate usage issue. Here is the sample code I am using -
`package main
import (
"fmt"
"io/ioutil"
"net/http"
_ "crypto/tls/fipsonly" //Code works without this but we need the
application to run in FIPS
)
func main() {
url := "https: //microsoft.com" //Space put here because of two link
limit
fmt.Printf("HTML code of %s ...\n", url)
client := &http.Client{}
resp, err := client.Get(url)
if err != nil {
panic(err)
}
defer resp.Body.Close()
html, err := ioutil.ReadAll(resp.Body)
if err != nil {
panic(err)
}
fmt.Printf("%s\n", html)
}`
The error I get is as follows -
HTML code of https: //microsoft.com ... panic: Get "https:
//microsoft.com": x509: certificate specifies an incompatible key usage
goroutine 1 [running]: main.main() /usr/local/go/bin/test.go:15 +0x26c exit
status 2
I checked the golang code and found that a certificate with a 4096 bit
public key is not a valid certificate according to the IsBoringCertificate
function The intermediate certificate in Microsoft’s Certificate Chain has
a 4096 bit public key.
[image: Screen Shot 2020-04-27 at 12.35.20 PM]
<https://forum.golangbridge.org/uploads/default/original/2X/5/5ee810d6e3d7c0397d6414aed64851342df3f843.png>
So, my question is as follows :
1. Is this intended behavior ?
2. If yes, is here any workaround via which I can keep FIPS mode on and
connect to these services ? This workaround can be code changes or using
different tools. However, I can’t turn off FIPS mode.
Thanks for going through this !
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/golang-nuts/619f65bc-e79a-4412-8913-a03992fae04a%40googlegroups.com.
