code review 5532090: crypto/tls: add FreeBSD root certificate location

crypto/tls: add FreeBSD root certificate location
    Fixes issue 2721.

[minux1, 2012-01-18 17:40:02]

Hello golang-dev@googlegroups.com (cc: golang-dev@googlegroups.com),

I'd like you to review this change to
https://go.googlecode.com/hg/

[bradfitz, 2012-01-18 17:58:34]

LGTM

On Wed, Jan 18, 2012 at 9:40 AM, <minux.ma@gmail.com> wrote:

> Reviewers: golang-dev_googlegroups.com,
>
> Message:
> Hello golang-dev@googlegroups.com (cc: golang-dev@googlegroups.com),
>
> I'd like you to review this change to
> https://go.googlecode.com/hg/
>
>
> Description:
> crypto/tls: add FreeBSD root certificate location
>    Fixes issue 2721.
>
> Please review this at
http://codereview.appspot.com/**5532090/<http://codereview.appspot.com/5532090/>
>
> Affected files:
>  M src/pkg/crypto/tls/root_unix.**go
>
>
> Index: src/pkg/crypto/tls/root_unix.**go
> ==============================**==============================**=======
> --- a/src/pkg/crypto/tls/root_**unix.go
> +++ b/src/pkg/crypto/tls/root_**unix.go
> @@ -13,10 +13,11 @@
>
>  // Possible certificate files; stop after finding one.
>  var certFiles = []string{
> -       "/etc/ssl/certs/ca-**certificates.crt", // Linux etc
> -       "/etc/pki/tls/certs/ca-bundle.**crt",   // Fedora/RHEL
> -       "/etc/ssl/ca-bundle.pem",             // OpenSUSE
> -       "/etc/ssl/cert.pem",                  // OpenBSD
> +       "/etc/ssl/certs/ca-**certificates.crt",     // Linux etc
> +       "/etc/pki/tls/certs/ca-bundle.**crt",       // Fedora/RHEL
> +       "/etc/ssl/ca-bundle.pem",                 // OpenSUSE
> +       "/etc/ssl/cert.pem",                      // OpenBSD
> +       "/usr/local/share/certs/ca-**root-nss.crt", // FreeBSD
>  }
>
>  func initDefaultRoots() {
>
>
>

[bradfitz, 2012-01-18 18:01:57]

But not sure how much this matters.  When you install the ca_root_nss port,
it prompts to symlink to /etc/ssl/cert.pem anyway?  *shrug*


On Wed, Jan 18, 2012 at 9:40 AM, <minux.ma@gmail.com> wrote:

> Reviewers: golang-dev_googlegroups.com,
>
> Message:
> Hello golang-dev@googlegroups.com (cc: golang-dev@googlegroups.com),
>
> I'd like you to review this change to
> https://go.googlecode.com/hg/
>
>
> Description:
> crypto/tls: add FreeBSD root certificate location
>    Fixes issue 2721.
>
> Please review this at
http://codereview.appspot.com/**5532090/<http://codereview.appspot.com/5532090/>
>
> Affected files:
>  M src/pkg/crypto/tls/root_unix.**go
>
>
> Index: src/pkg/crypto/tls/root_unix.**go
> ==============================**==============================**=======
> --- a/src/pkg/crypto/tls/root_**unix.go
> +++ b/src/pkg/crypto/tls/root_**unix.go
> @@ -13,10 +13,11 @@
>
>  // Possible certificate files; stop after finding one.
>  var certFiles = []string{
> -       "/etc/ssl/certs/ca-**certificates.crt", // Linux etc
> -       "/etc/pki/tls/certs/ca-bundle.**crt",   // Fedora/RHEL
> -       "/etc/ssl/ca-bundle.pem",             // OpenSUSE
> -       "/etc/ssl/cert.pem",                  // OpenBSD
> +       "/etc/ssl/certs/ca-**certificates.crt",     // Linux etc
> +       "/etc/pki/tls/certs/ca-bundle.**crt",       // Fedora/RHEL
> +       "/etc/ssl/ca-bundle.pem",                 // OpenSUSE
> +       "/etc/ssl/cert.pem",                      // OpenBSD
> +       "/usr/local/share/certs/ca-**root-nss.crt", // FreeBSD
>  }
>
>  func initDefaultRoots() {
>
>
>

[bradfitz, 2012-01-18 18:02:59]

*** Submitted as http://code.google.com/p/go/source/detail?r=41777f1070e9 ***

crypto/tls: add FreeBSD root certificate location
    Fixes issue 2721.

R=golang-dev, bradfitz
CC=golang-dev
http://codereview.appspot.com/5532090

Committer: Brad Fitzpatrick <bradfitz@golang.org>

[minux1, 2012-01-19 07:01:59]

On Thu, Jan 19, 2012 at 2:01 AM, Brad Fitzpatrick <bradfitz@golang.org>wrote:

> But not sure how much this matters.  When you install the ca_root_nss
> port, it prompts to symlink to /etc/ssl/cert.pem anyway?  *shrug*
>
But the default is off. If the root ca certificates aren't loaded, test of
crypto/tls will fail with something like "certificate not signed by
known authroity", and this message won't give the normal user a clear
picture what went wrong.

I'm also wondering should we added a info/warning to initDefaultRoots() in
case that the default ca certs can't be found?
Or, test the existence of root ca certs before TestOSCertBundles?

[brainman, 2012-01-19 23:20:53]

On Thursday, 19 January 2012 18:01:37 UTC+11, minux wrote:
>
>
> I'm also wondering should we added a info/warning to initDefaultRoots() in 
> case that the default ca certs can't be found?
>
>
I share your concerns. Windows version of initDefaultRoots could fail in 
many places for many different reasons. None of it will be known to the 
user, because all errors are ignored.

For example, expired certificates and such might be OK to ignore. But it 
would help user to know that fact when his connection fails with 
"certificate not found" error. "Surely, I had this certificate in my store. 
Somewhere. ..." (looking puzzled <g>).

Alex