-
Notifications
You must be signed in to change notification settings - Fork 18k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: SMTP connection timeout in Go Version 1.23 #71257
Comments
CC @golang/security |
maybe the same as #70232 |
seems like so |
@littlerest1 I am not sure this is the same situation. The other issue is for a specific non-Go TLS client connecting to a Go TLS server. And the symptom is that that other client is dropping the connection, there is no timeout involved. You are using a Go TLS client. Which software is the TLS server? Looking at your code, I have a few suggestions for the code you're using:
|
The reason I was using the tls dial, its because the is no reasonable error log when I was using net/smtp library. So that I demonstrate the email sending process one by one. Will try better logging for more info about why it get io timeout |
ah yeah, that makes sense. when debugging, looking at the traffic with tcpdump may also be helpful (and easy to do). |
Hi, @littlerest1 have you managed to find a workaround? Could this issue be reopened? |
I managed to find 2 workarounds!
config := &tls.Config{
MaxVersion: tls.VersionTLS12,
} Because in our case our SMTP server only accepts TLS v1.2, and with this fix it works
So the regression looks like to come from this commit: d0edd9a
We definitely should re-open this issue or open a new one. |
if it's the remote server breaking on kyber, it's not really considered a bug in go, see https://tldr.fail/ |
Thank you @seankhliao you are completely right! |
We could perhaps add a note to the 1.24 release notes (and perhaps the crypto/tls package) that usage of the X25519MLKEM768 kex (the name of the standardized Kyber kex) may cause failures with TLS stacks that don't handle large records correctly. |
Change https://go.dev/cl/651036 mentions this issue: |
You are right! Usually when you have regressions like this after an upgrade, you instinctively check the release notes, so it might help.
Regarding the crypto/tls package I was not sure where to document this, so I didn't. |
…bug.md Relates to golang/go#71257. Since post-quantum TLS algorithms are enabled by default, we should warn about the possible bugs with legacy servers (see https://tldr.fail/) Change-Id: Id5a565c2959c5b0f7b8bdd53ce9e70b191c4bf38 GitHub-Last-Rev: a709e6f GitHub-Pull-Request: #311 Reviewed-on: https://go-review.googlesource.com/c/website/+/650857 Reviewed-by: Ian Lance Taylor <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Auto-Submit: Ian Lance Taylor <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>
…bug.md Relates to #71257. Since post-quantum TLS algorithms are enabled by default, we should warn about the possible bugs with legacy servers (see https://tldr.fail/) Change-Id: I06a5d8a927497ea2141007b14a90af27e0891720 GitHub-Last-Rev: 476e646 GitHub-Pull-Request: #71865 Reviewed-on: https://go-review.googlesource.com/c/go/+/651036 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> Auto-Submit: Ian Lance Taylor <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>
Go version
go version go1.23.2 darwin/arm64
Output of
go env
in your module/workspace:What did you do?
Was using library
crypto/tls
andnet
for smtp dialing and communicationthe code is working fine in MacOs arm64 system. However the binary file built by command
env GOOS=linux GOARCH=amd64 go build -o
and run in AWS Linux EC2 instance will receiveread tcp: timeout
issue. This issue is resolved by downgrading the Go version to 1.22.What did you see happen?
What did you expect to see?
AUTH LOGIN
command successfully send afterSTARTTLS
command and receive the request for username and password for further authenticationThe text was updated successfully, but these errors were encountered: