x509: cannot verify signature: algorithm unimplemented
A GitLab instance is behind sha256 TLS. Gitlab Runner fails a SSL handshake with following error:
x509: cannot verify signature: algorithm unimplemented
Relevant details of certificate:
Signature Algorithm: rsassaPss
Hash Algorithm: sha256
Mask Algorithm: mgf1 with sha256
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)Might be related:
- http://stackoverflow.com/questions/25008571/golang-issue-x509-cannot-verify-signature-algorithm-unimplemented-on-net-http
- http://bridge.grumpy-troll.org/2014/05/golang-tls-comodo/
- https://www.imperialviolet.org/2014/05/14/sha256.html
Using: docker image gitlab/gitlab-runner:v1.6.1
Activity
Thanks for the report @patrikbeno
Looks like the fix is just to do:
import _ "crypto/sha512"In the runner's codebase.
I'll see if we can get this done in time for v1.7!
Edited by Nick ThomasReassigned to @nick.thomas
@patrikbeno I can't replicate this with a sha256-signed certificate and a regular RSA key.
Seems the problem is actually the "rsassaPss" signature - so we actually need https://github.com/golang/go/commit/e41b0e2bcb2667425b7eb223baa2b9945466651b . This will be added in go1.8 - unfortunately, that's not slated for release until Feb 2017!
You could try building the runner against the go nightlies to get support, or attempt to patch go1.7 with the above PR?
Edited by Nick Thomas@nick.thomas thanks, maybe I'll give it a shot, but for now, I can live with a current workaround (other certificate) until Feb/March 2017, too. Please, just schedule this fix as possible.
Milestone changed to %Backlog
Added feature proposal label
