I attempted to connect to AWS Aurora over TLS using database/sql with GOEXPERIMENT=boringcrypto and import _ "crypto/tls/fipsonly" and got an error. It is difficult to reproduce because I connected and queried one Aurora instance just fine, but the other threw an error.
What did you see happen?
I got an error when attempting the connection. It was a recovered nil pointer panic. After removing the recover() call, I got this:
Go version
go version go1.22.2 linux/amd64
Output of
go env
in your module/workspace:What did you do?
I attempted to connect to AWS Aurora over TLS using
database/sql
withGOEXPERIMENT=boringcrypto
andimport _ "crypto/tls/fipsonly"
and got an error. It is difficult to reproduce because I connected and queried one Aurora instance just fine, but the other threw an error.What did you see happen?
I got an error when attempting the connection. It was a recovered nil pointer panic. After removing the
recover()
call, I got this:It seems this
if
statement preventstlsrsakex.Value()
from being called a few lines later: https://github.com/golang/go/blob/dddf0ae40fa0c1223aba191d73a44425a08e1035/src/crypto/tls/common.go#L1014But then sometime later, this line calls
tlsrsakex.IncNonDefault()
: https://github.com/golang/go/blob/dddf0ae40fa0c1223aba191d73a44425a08e1035/src/crypto/tls/handshake_client.go#L530Unfortunately this comment explains that
Value()
must always be called beforeIncNonDefault()
: https://github.com/golang/go/blob/dddf0ae40fa0c1223aba191d73a44425a08e1035/src/internal/godebug/godebug.go#L100What did you expect to see?
I expected the connection to succeed for both AWS Aurora instances.