Golang问题x509:无法验证签名:算法未在net/http上实现

Question

我正在编写一个非常简单的Golang脚本,并使用这个库golang-jenkins来连接我们的内部HTTPS服务器.但是我面临以下x509证书问题,并且不确定如何处理x509证书问题.我们的团队无法访问Jenkins,并想知道我们还可以做些什么来更多地了解这个问题.

$ go run jenkins.go 
2014/07/28 22:00:29 [] Get https://jenkins.mydomain.com/api/json: x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: algorithm unimplemented" while trying to verify candidate authority certificate "MyDomain Internal Root CA")

使用curl:

$ curl -v "https://jenkins.mydomain.com/api/json"
* Adding handle: conn: 0x7f8469004000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f8469004000) send_pipe: 1, recv_pipe: 0
* About to connect() to jenkins.mydomain.com port 443 (#0)
*   Trying 10.38.8.70...
* Connected to jenkins.mydomain.com (10.38.8.70) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: jenkins.mydomain.com
* Server certificate: MyDomain Server CA - 2014
* Server certificate: MyDomain Internal Root CA
> GET /api/json HTTP/1.1
> User-Agent: curl/7.30.0
> Host: jenkins.mydomain.com
> Accept: */*
> 
< HTTP/1.1 200 OK
* Server nginx is not blacklisted
< Server: nginx
< Date: Tue, 29 Jul 2014 05:03:45 GMT
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: JSESSIONID.214ca1a4=1ry000odf815goiv7vl8tr627;Path=/;Secure
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Jenkins: 1.554.3
< X-Jenkins-Session: c660ff91

Answer 1

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 目前在Go中被破坏,它将在v1.4中得到支持,唯一的解决方法是降级TLS MaxVersion.

快速浏览golang-jenkins,它不允许指定http.Client使用和使用http.DefaultClient,降级TLS的MaxVersion的唯一丑陋方法是覆盖http.DefaultClient.Transport.

在func init()尝试连接任何东西之前,您应该可以执行以下操作:

cfg := &tls.Config{
    MaxVersion:               tls.VersionTLS11, // try tls.VersionTLS10 if this doesn't work
    PreferServerCipherSuites: true,
}

http.DefaultClient.Transport = &http.Transport{
    TLSClientConfig: cfg,
}

请记住,这将为任何http.DefaultClient直接使用的东西设置传输,例如http.Get,如果你使用自己的实例,你会没事的.

讨论该错误:https://groups.google.com/forum/#!topic / golang -nuts/oK3EBAY2Uig