I haven't been able to test this on Snow Leopard yet. Neither a Go binary ...
13 years, 5 months ago
(2011-10-13 01:16:11 UTC)
#2
I haven't been able to test this on Snow Leopard yet. Neither a Go binary built
on Lion on Snow Leopard, nor a pure-Snow Leopard build. If anyone could check
that nothing breaks in those two configurations, that would be much appreciated.
Also, note that this change set changes the default certificate verification
logic in handshake_client.go. The old code would only verify the certificate
chain when c.config.RootCAs != nil. However, the default emptyConfig for TLS
clients would always have RootCAs set to nil, so no verification was performed
unless a suitable custom tls.Config was provided.
The new logic makes sure that system-provided CAs are considered as well, when
using the default TLS config. Another thing to note is that certificate chain
verification is completely skipped if rootCAs() == nil. (That is, if both the
RootCAs field of the tls.Config struct is nil, *and* the list of system default
CAs is nil). This is the case for OSes that use the new root_stub.go file for
their default root implementation.
On 2011/10/13 03:25:35, adg wrote: > On my Snow Leopard machine: > > $ gomake ...
13 years, 5 months ago
(2011-10-13 13:38:29 UTC)
#4
On 2011/10/13 03:25:35, adg wrote:
> On my Snow Leopard machine:
>
> $ gomake test
> gotest
> rm -f _test/crypto/tls.a
> CGOPKGPATH=crypto cgo -- root_darwin.go
> touch _obj/_cgo_run
> 6g -p crypto/tls -o _gotest_.6 alert.go cipher_suites.go common.go
> conn.go handshake_client.go handshake_messages.go handshake_server.go
> key_agreement.go prf.go tls.go _obj/root_darwin.cgo1.go
> _obj/_cgo_gotypes.go conn_test.go handshake_client_test.go
> handshake_messages_test.go handshake_server_test.go prf_test.go
> root_test.go
> 6c -FVw -I/Users/adg/go/pkg/darwin_amd64 -I . -o "_cgo_defun.6"
> _obj/_cgo_defun.c
> gcc -m64 -I . -g -fPIC -O2 -o _cgo_main.o -c -Wno-error _obj/_cgo_main.c
> gcc -m64 -I . -g -fPIC -O2 -o root_darwin.cgo2.o -c -Wno-error
> _obj/root_darwin.cgo2.c
> gcc -m64 -I . -g -fPIC -O2 -o _cgo_export.o -c -Wno-error _obj/_cgo_export.c
> gcc -m64 -g -fPIC -O2 -o _cgo1_.o _cgo_main.o root_darwin.cgo2.o
> _cgo_export.o -framework CoreFoundation -framework Security
> cgo -dynimport _cgo1_.o >_obj/_cgo_import.c_ && mv -f
> _obj/_cgo_import.c_ _obj/_cgo_import.c
> 6c -FVw -I . -o "_cgo_import.6" _obj/_cgo_import.c
> rm -f _test/crypto/tls.a
> gopack grc _test/crypto/tls.a _gotest_.6 _cgo_defun.6 _cgo_import.6
> root_darwin.cgo2.o _cgo_export.o
> --- FAIL: tls.TestHandshakeClientRC4 (0.24 seconds)
> RC4 #2: unexpected EOF
> FAIL
> gotest: "./6.out" failed: exit status 1
Thanks Andrew. Seems to work (except for the test failures because of the CA
verify logic).
If possible, we should also check whether a Lion-built Go executable using this
code still runs on Snow Leopard.
Something like this should suffice: http://goo.gl/pFPRn ... here's a binary:
http://db.tt/Hqu0Zo1z if anyone dares :-)
The test failure was because of the new root CA logic. With the new code, the
client would reject the certificate chain presented in handshake_client_test.go.
To remedy this I've introduced a new tls.Config field called SkipVerification.
It'll skip verification of the server's certificate chain.
Likewise, there was a test failure in package http similar to this. For now,
I've enabled SkipVerification for both of the tests.
I tried to check whether it was feasible to instead introduce a
'AllowSelfSigned' field instead, but I don't think crypto/x509 currently is able
to verify self-signed certificates (where self-signed means a chain that only
includes a single certificate that's signed by itself). That's for another CL.
Thanks, I'll fix these. http://codereview.appspot.com/5262041/diff/18001/src/pkg/crypto/tls/handshake_client.go File src/pkg/crypto/tls/handshake_client.go (right): http://codereview.appspot.com/5262041/diff/18001/src/pkg/crypto/tls/handshake_client.go#newcode100 src/pkg/crypto/tls/handshake_client.go:100: // If we don't have ...
13 years, 5 months ago
(2011-10-13 15:37:50 UTC)
#7
Thanks, I'll fix these.
http://codereview.appspot.com/5262041/diff/18001/src/pkg/crypto/tls/handshake...
File src/pkg/crypto/tls/handshake_client.go (right):
http://codereview.appspot.com/5262041/diff/18001/src/pkg/crypto/tls/handshake...
src/pkg/crypto/tls/handshake_client.go:100: // If we don't have a root CA set
configured and the system doesn't provide its
On 2011/10/13 15:14:35, rsc wrote:
> This was a hack for OS X users. It's not the right default behavior.
>
> if !c.config.InsecureSkipVerify {
> opts := x509.VerifyOptions{
> Roots: c.config.rootCAs(),
> ...
>
>
I kept it around mainly to allow systems that use root_stub.go to still function
with the current behavior (basically SkipVerification == true).
I plan to submit a CL implementing access to Windows' cert stores as well, so
perhaps it's not too much of an issue.
> I kept it around mainly to allow systems that use root_stub.go to still > ...
13 years, 5 months ago
(2011-10-13 15:50:17 UTC)
#8
> I kept it around mainly to allow systems that use root_stub.go to still
> function with the current behavior (basically SkipVerification == true).
>
> I plan to submit a CL implementing access to Windows' cert stores as
> well, so perhaps it's not too much of an issue.
Now that we have the ability to do the right thing,
we should do the right thing. I put that code in
when package net could not use cgo at all.
Keeping it just encourages us not to fix it.
Russ
Issue 5262041: code review 5262041: crypto/tls: fetch root certificates using Mac OS API
(Closed)
Created 13 years, 5 months ago by mkrautz
Modified 13 years, 4 months ago
Reviewers:
Base URL:
Comments: 5
