## Overview As @patrickbajao pointed out at https://gitlab.com/gitlab-org/gitlab/-/merge_requests/128314#note_1498190261, Go 1.20.7 [adds a `maxRSAKeySize` constant](https://github.com/golang/go/commit/a51957fb0b20bb6c91d0415efca222cc9ecdb770) which restricts the maximum key size to 8192 bits where as previously there was _no_ limit imposed: ```go // maxRSAKeySize is the maximum RSA key size in bits that we are willing // to verify the signatures of during a TLS handshake. const maxRSAKeySize = 8192 ``` And will return the following error if the key is \> 8192: ```go fmt.Errorf("tls: server sent certificate containing RSA key larger than %d bits", maxRSAKeySize) ``` The rationale behind the change is and why 8192 bits was chosen: > Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. Limit this by restricting the size of RSA keys transmitted during handshakes to \<= 8192 bits. > > Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. ## Problem Go 1.20.7 could break TLS operations for gitlab.com and/or our customers. - [Support issue](https://gitlab.com/gitlab-com/support/support-team-meta/-/issues/5374) ## GitLab projects to test |Status|Component Name|Notes| |:----|:----|:----| |:white_check_mark:|[Docker Distribution Pruner](https://gitlab.com/gitlab-org/docker-distribution-pruner)|TLS not configurable? [Currently using go 1.16](https://gitlab.com/gitlab-org/docker-distribution-pruner/-/blob/master/go.mod?ref_type=heads#L3).| |:white_check_mark:|[Gitaly](https://gitlab.com/gitlab-org/gitaly)| See https://gitlab.com/groups/gitlab-org/-/epics/11186#note_1508863631 ([docs](https://docs.gitlab.com/ee/administration/gitaly/configure_gitaly.html#enable-tls-support)) | |:white_check_mark:|[GitLab Compose Kit](https://gitlab.com/gitlab-org/gitlab-compose-kit)|Non-production tool.| |:white_check_mark:|[GitLab Container Registry](https://gitlab.com/gitlab-org/container-registry)| See https://gitlab.com/groups/gitlab-org/-/epics/11186#note_1508876029 ([docs](https://docs.gitlab.com/ee/administration/packages/container_registry.html))| |:white_check_mark:|[GitLab Elasticsearch Indexer](https://gitlab.com/gitlab-org/gitlab-elasticsearch-indexer)|TLS not configurable.| |:white_check_mark:|[GitLab Zoekt Indexer](https://gitlab.com/gitlab-org/gitlab-zoekt-indexer)|TLS not configurable.| |:white_check_mark:|[GitLab agent server for Kubernetes (KAS)](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent)|(asked on Slack)| |:white_check_mark:|[GitLab Pages](https://gitlab.com/gitlab-org/gitlab-pages)| See https://gitlab.com/groups/gitlab-org/-/epics/11186#note_1508864732 ([docs](https://docs.gitlab.com/ee/user/project/pages/custom_domains_ssl_tls_certification/index.html#manual-addition-of-ssltls-certificates))| |:white_check_mark:|[GitLab Shell](https://gitlab.com/gitlab-org/gitlab-shell)| See https://gitlab.com/groups/gitlab-org/-/epics/11186#note_1508870363 | |:white_check_mark:|[GitLab Workhorse](https://gitlab.com/gitlab-org/gitlab/-/tree/master/workhorse)| See https://gitlab.com/groups/gitlab-org/-/epics/11186#note_1508867969 ([docs](https://docs.gitlab.com/ee/development/workhorse/configuration.html#tls-support)) | |:white_check_mark:|[GitLab Browser-based DAST (browserker)](https://gitlab.com/gitlab-org/security-products/analyzers/browserker)| [go 1.20.5 in use](https://gitlab.com/gitlab-org/security-products/analyzers/browserker/-/blob/main/Dockerfile?ref_type=heads#L12) | |:white_check_mark:|[GitLab Coverage Fuzzer](https://gitlab.com/gitlab-org/security-products/analyzers/gitlab-cov-fuzz-src/)| [go 1.19 in use](https://gitlab.com/gitlab-org/security-products/analyzers/gitlab-cov-fuzz-src/-/blob/v3/go.mod?ref_type=heads#L3) | |:white_check_mark:|[LabKit](https://gitlab.com/gitlab-org/labkit)|Is a library for other Go projects.| |:white_check_mark:|[GitLab Workspaces Proxy](https://gitlab.com/gitlab-org/remote-development/gitlab-workspaces-proxy)| Using [go 1.19.9](https://gitlab.com/gitlab-org/remote-development/gitlab-workspaces-proxy/-/blob/main/go.mod?ref_type=heads#L3) curently. | :white_check_mark: = Verified, :mag: = Investigating, :question: = Unknown