Skip to content

Disable x509 serial number validation #3277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
adreed-msft wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Disable x509 serial number validation #3277

adreed-msft wants to merge 1 commit into from

Conversation

@adreed-msft
Copy link
Member

@adreed-msft adreed-msft commented Nov 5, 2025
edited
Loading

Description

Feature / Bug Fix:

In Go 1.23, a new feature was introduced in the crypto/x509 package that disabled certificates with a negative serial number, sometimes breaking mitm proxies, which prove useful in debugging.

There is no way to disable this at runtime outside of setting the GODEBUG environment variable-- This is often above user's heads, but it's arguable that, anybody going out of their way to use a MITM proxy probably is technically inclined enough to figure out that this changed.

Hence, this isn't the cleanest solution, and I'm not the happiest with it. This PR is here to serve as a discussion point, not necessarily something to review.

Related Links:

  • PBI #32923845

Type of Change

  • Bug fix (sorta)
  • New feature
  • Documentation update required
  • Code quality improvement
  • Other (describe):

How Has This Been Tested?

Manually tested behind fiddler

Copilot AI review requested due to automatic review settings November 5, 2025 21:30
Copilot AI reviewed Nov 5, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a godebug directive to the go.mod file to enable the x509negativeserial=1 setting, which controls how negative serial numbers in X.509 certificates are handled.

Key Changes

  • Added a godebug block with the x509negativeserial=1 setting to maintain compatibility with X.509 certificates that have negative serial numbers

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@adreed-msft adreed-msft mentioned this pull request Nov 5, 2025
Open
5 tasks
@gapra-msft
Copy link
Member

gapra-msft commented Nov 6, 2025
edited
Loading

Thanks for starting the discussion here. I don’t think we should add this to go.mod - MITM proxy is using negative serials, which isn’t RFC-compliant, so I'd prefer to avoid allowing something that isn't RFC compliant by default. Let’s just document how to set GODEBUG=x509negativeserial=1 instead for folks who need it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gapra-msft gapra-msft Awaiting requested review from gapra-msft gapra-msft is a code owner

@dphulkar-msft dphulkar-msft Awaiting requested review from dphulkar-msft dphulkar-msft is a code owner

@vibhansa-msft vibhansa-msft Awaiting requested review from vibhansa-msft vibhansa-msft is a code owner

@seanmcc-msft seanmcc-msft Awaiting requested review from seanmcc-msft seanmcc-msft is a code owner

@souravgupta-msft souravgupta-msft Awaiting requested review from souravgupta-msft souravgupta-msft is a code owner

@tanyasethi-msft tanyasethi-msft Awaiting requested review from tanyasethi-msft tanyasethi-msft is a code owner

@wonwuakpa-msft wonwuakpa-msft Awaiting requested review from wonwuakpa-msft wonwuakpa-msft is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@adreed-msft @gapra-msft