Re: X509 certificate validation more strict in golang 1.25.2

To: Reinhard Tartler <siretart@gmail.com>
Cc: Debian Go Packaging Team <debian-go@lists.debian.org>
Subject: Re: X509 certificate validation more strict in golang 1.25.2
From: Tianon Gravi <tianon@debian.org>
Date: Mon, 13 Oct 2025 14:54:25 -0700
Message-id: <[🔎] CAHnKnK1eS8SoWJwJwTUXuCVep2yTs4q3zguy09cDSWW3aBq9Bw@mail.gmail.com>
In-reply-to: <[🔎] CAHnKnK1WrW6CJtMokjtiDmTugjZtKmrwO9Od2OGf1mTaHobYyg@mail.gmail.com>
References: <[🔎] CAJ0ccearyPBvJVGyqJjqiqrrWDfX+w-bDvSNS4P+w0+QbeCEuA@mail.gmail.com> <[🔎] CAHnKnK1WrW6CJtMokjtiDmTugjZtKmrwO9Od2OGf1mTaHobYyg@mail.gmail.com>

On Mon, 13 Oct 2025 at 10:05, Tianon Gravi <tianon@debian.org> wrote:
>
> On Sun, 12 Oct 2025 at 06:32, Reinhard Tartler <siretart@gmail.com> wrote:
> >
> > Dear fellow Debian Golang Packagers,
> >
> > I am writing to give you a heads-up about a subtle change in Golang 1.25.2 that makes X.509 certificate verification more strict in the `crypto/x509` package, which is part of the standard library. The change in question is https://github.com/golang/go/commit/3fc4c79fdbb17b9b29ea9f8c29dd780df075d4c4 and I expect it to break rebuilds of several golang packages in Debian.
> >
> > Specifically, the DNS in the X.509v3 Subject Alternative Name can no longer be empty (cf. https://github.com/etcd-io/etcd/pull/20775#issuecomment-3385325872). This change caused #1117747. I have also seen a similar issue when rebuilding `sigstore-go`, and I plan to file a proper bug report later.
> >
> > I hope this heads-up saves valuable time for others who are surprised by test failures containing the error: "x509: SAN rfc822Name is malformed".
>
> Looks like they've already rolled it back and are thinking about doing
> a patch release. 👀
>
> https://github.com/golang/go/issues/75828#issuecomment-3393726547
>
> > We have merged a change which addresses this, and are determining the feasibility of doing a point release before our next scheduled release (currently scheduled for Nov 4) so that we can get a fixed version out as soon as possible.

Nice, and there's 1.25.2 and 1.24.8 which include this revert:
https://groups.google.com/g/golang-announce/c/YEyj6FUNbik/m/_SDlIvxuCAAJ

I'll try to get those uploaded ASAP (if someone else doesn't beat me
to the dance).

♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4

Reply to:

References:
- X509 certificate validation more strict in golang 1.25.2
  - From: Reinhard Tartler <siretart@gmail.com>
- Re: X509 certificate validation more strict in golang 1.25.2
  - From: Tianon Gravi <tianon@debian.org>

Prev by Date: Re: X509 certificate validation more strict in golang 1.25.2
Next by Date: Bug#1118039: ITP: golang-github-leonhwangprojects-bice -- bice is a pure Go library that compiles simple C expressions to bpf instructions directly.
Previous by thread: Re: X509 certificate validation more strict in golang 1.25.2
Next by thread: Bug#1117983: ITP: golang-github-gaissmai-bart -- library for Balanced Routing Table (Go library)
Index(es):
- Date
- Thread