Golang问题x509:无法验证签名:算法未在net / http上实现

时间:2014-07-29 05:10:08

标签: ssl https go x509

我正在编写一个非常简单的Golang脚本,并使用此库golang-jenkins连接我们的内部HTTPS服务器。但是我面临以下x509证书问题,并且不确定如何处理x509证书问题。我们的团队无法访问Jenkins,并想知道我们还可以做些什么来更多地了解这个问题。

$ go run jenkins.go 
2014/07/28 22:00:29 [] Get https://jenkins.mydomain.com/api/json: x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: algorithm unimplemented" while trying to verify candidate authority certificate "MyDomain Internal Root CA")

使用curl:

$ curl -v "https://jenkins.mydomain.com/api/json"
* Adding handle: conn: 0x7f8469004000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f8469004000) send_pipe: 1, recv_pipe: 0
* About to connect() to jenkins.mydomain.com port 443 (#0)
*   Trying 10.38.8.70...
* Connected to jenkins.mydomain.com (10.38.8.70) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: jenkins.mydomain.com
* Server certificate: MyDomain Server CA - 2014
* Server certificate: MyDomain Internal Root CA
> GET /api/json HTTP/1.1
> User-Agent: curl/7.30.0
> Host: jenkins.mydomain.com
> Accept: */*
> 
< HTTP/1.1 200 OK
* Server nginx is not blacklisted
< Server: nginx
< Date: Tue, 29 Jul 2014 05:03:45 GMT
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: JSESSIONID.214ca1a4=1ry000odf815goiv7vl8tr627;Path=/;Secure
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Jenkins: 1.554.3
< X-Jenkins-Session: c660ff91

1 个答案:

答案 0 :(得分:7)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256目前在Go中被破坏,它将在v1.4中得到支持,唯一的解决方法是降级TLS MaxVersion。

快速浏览golang-jenkins,它不允许指定要使用的http.Client并且只使用http.DefaultClient,降级TLS的MaxVersion的唯一丑陋方式是覆盖http.DefaultClient.Transport

在尝试连接任何内容之前,您应该可以在func init()中执行以下操作:

cfg := &tls.Config{
    MaxVersion:               tls.VersionTLS11, // try tls.VersionTLS10 if this doesn't work
    PreferServerCipherSuites: true,
}

http.DefaultClient.Transport = &http.Transport{
    TLSClientConfig: cfg,
}

请注意,这会为直接使用http.DefaultClient的任何内容设置传输,例如http.Get,但是如果您使用自己的实例,则可以。

讨论错误:https://groups.google.com/forum/#!topic/golang-nuts/oK3EBAY2Uig