Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test github.com/aws/aws-sdk-go/aws/session fails with Go 1.18 due to SHA1 being rejected by default. #4316

Closed
3 tasks done
jawn-smith opened this issue Mar 16, 2022 · 2 comments · Fixed by #4318
Closed
3 tasks done

Test github.com/aws/aws-sdk-go/aws/session fails with Go 1.18 due to SHA1 being rejected by default. #4316

jawn-smith opened this issue Mar 16, 2022 · 2 comments · Fixed by #4318
Labels
bug This issue is a bug.

Comments

@jawn-smith
Copy link

Confirm by changing [ ] to [x] below to ensure that it's a bug:

Describe the bug
TestNewSession_WithCustomCABundle* fails with Go 1.18

Version of AWS SDK for Go?
1.43.19

Version of Go (go version)?
1.18

To Reproduce (observed behavior)
go test ./...

TestMain /tmp/aws-sdk-go-session-test3606657906 /tmp/aws-sdk-go-session-test1981254626
2022/03/16 11:55:43 http: TLS handshake error from 127.0.0.1:56468: remote error: tls: bad certificate
2022/03/16 11:55:43 http: TLS handshake error from 127.0.0.1:56470: remote error: tls: bad certificate
--- FAIL: TestNewSession_WithCustomCABundle_Env (1.00s)
    custom_ca_bundle_test.go:70: expect no error, got Get "https://127.0.0.1:36943": x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "Testing ROOT CA")
2022/03/16 11:55:44 http: TLS handshake error from 127.0.0.1:37100: remote error: tls: bad certificate
2022/03/16 11:55:44 http: TLS handshake error from 127.0.0.1:37102: remote error: tls: bad certificate
--- FAIL: TestNewSession_WithCustomCABundle_Option (1.00s)
    custom_ca_bundle_test.go:123: expect no error, got Get "https://127.0.0.1:39763": x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "Testing ROOT CA")
2022/03/16 11:55:45 http: TLS handshake error from 127.0.0.1:51716: remote error: tls: bad certificate
2022/03/16 11:55:45 http: TLS handshake error from 127.0.0.1:51718: remote error: tls: bad certificate
--- FAIL: TestNewSession_WithCustomCABundle_OptionPriority (1.00s)
    custom_ca_bundle_test.go:188: expect no error, got Get "https://127.0.0.1:40905": x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "Testing ROOT CA")
2022/03/16 11:55:46 http: TLS handshake error from 127.0.0.1:60512: remote error: tls: bad certificate
2022/03/16 11:55:46 http: TLS handshake error from 127.0.0.1:60514: remote error: tls: bad certificate
--- FAIL: TestNewSession_WithCustomCABundle_TransportSet (1.00s)
    custom_ca_bundle_test.go:266: expect no error, got Get "https://127.0.0.1:36415": x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "Testing ROOT CA")
2022/03/16 11:55:46 ERROR: failed to load CSM configuration, SharedConfigLoadError: failed to load config file, testdata/shared_config_invalid_ini
caused by: INIParseError: invalid state with ASTKind {section_stmt {1 STRING 0 [112 114 111 102 105 108 101 95 110 97 109]} true []} and TokenType none
2022/03/16 11:55:46 ERROR: failed to load CSM configuration, SharedConfigLoadError: failed to load config file, testdata/shared_config_invalid_ini
caused by: INIParseError: invalid state with ASTKind {section_stmt {1 STRING 0 [112 114 111 102 105 108 101 95 110 97 109]} true []} and TokenType none
FAIL
FAIL    github.com/aws/aws-sdk-go/aws/session   13.078s

Expected behavior
Tests pass

Additional context
This was discovered in Ubuntu while moving from Go 1.17 to 1.18 for the upcoming 22.04 release. Per the Go 1.18 release notes (https://go.dev/doc/go1.18) SHA1 is now rejected by default for security reasons.
@jawn-smith jawn-smith added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 16, 2022
jasdel added a commit to jasdel/aws-sdk-go that referenced this issue Mar 16, 2022
@jasdel
awstesting: Update SDK custom certificate testing utils
2abc32b 
Updates the SDK's custom certificate testing utilities to be compatible
with Go 1.18's deprecating of SHA1. Switch from static openssl generated
certificates to generate certificates at package initialization.

Fixes: aws#4316
jasdel added a commit to jasdel/aws-sdk-go-v2 that referenced this issue Mar 16, 2022
@jasdel
internal/awstesting: Update SDK custom certificate testing utils
2980d3f 
Updates the SDK's custom certificate testing utilities to be compatible
with Go 1.18's deprecating of SHA1. Switch from static openssl generated
certificates to generate certificates at package initialization.

Related to aws/aws-sdk-go#4316
This was referenced Mar 16, 2022
Merged
Merged
@jasdel jasdel removed the needs-triage This issue or PR still needs to be triaged. label Mar 16, 2022
@jasdel
Copy link
Contributor

jasdel commented Mar 16, 2022

Thanks for reporting this issue @GlenPickle I've created PR #4318 updating the SDK's unit tests for Go 1.18.

jasdel added a commit to jasdel/aws-sdk-go that referenced this issue Mar 16, 2022
@jasdel
awstesting: Update SDK custom certificate testing utils
95cb0f3 
Updates the SDK's custom certificate testing utilities to be compatible
with Go 1.18's deprecating of SHA1. Switch from static openssl generated
certificates to generate certificates at package initialization.

Fixes: aws#4316
jasdel added a commit that referenced this issue Mar 23, 2022
@jasdel
awstesting: Update SDK custom certificate testing utils (#4318)
a893727 
Updates the SDK's custom certificate testing utilities to be compatible
with Go 1.18's deprecating of SHA1. Switch from static openssl generated
certificates to generate certificates at package initialization.

Fixes: #4316
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

jasdel added a commit to aws/aws-sdk-go-v2 that referenced this issue Mar 30, 2022
@jasdel
internal/awstesting: Update SDK custom certificate testing utils (#1626)
b03e3da 
Updates the SDK's custom certificate testing utilities to be compatible
with Go 1.18's deprecating of SHA1. Switch from static openssl generated
certificates to generate certificates at package initialization.

Related to aws/aws-sdk-go#4316
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

awstesting: Update SDK custom certificate testing utils jasdel/aws-sdk-go
2 participants
@jasdel @jawn-smith