crypto/tls: fetch root certificates using Mac OS API #1009
Labels
Comments
What about people who don't have MacPorts? This is a known issue - there's a TODO to that effect in the source code. My plan is to revise the networking code so that it can use host services and ask OS X for the root set or to validate the certificate. Owner changed to r...@golang.org. Status changed to Accepted. |
|
Comment 2 by dacc@exaptic.com: Yeah, my patch is admittedly a hack -- just thought I'd mention what I did to work around the problem. Should there be tickets in here for TODOs like this in the code, or is that overkill? |
The networking code now uses cgo, so it is time to fix this for real. The fix is to add new root_darwin.go, root_unix.go, and root_stub.go files to crypto/tls, all implementing initDefaultRoots(). The root_stub.go implementation would do nothing; root_darwin.go would call SecTrustCopyAnchorCertificates [1], root_unix.go would do the file reading currently in common.go. We will eventually want a root_windows.go too. [1] http://developer.apple.com/library/mac/#documentation/security/Reference/certifkeytrustservices/Reference/reference.html Labels changed: added os-macosx. Status changed to HelpWanted. |
|
This issue was closed by revision 38fb09b. Status changed to Fixed. |
FiloSottile
pushed a commit
to FiloSottile/go
that referenced
this issue
Oct 12, 2018
Fixes golang#1009. R=adg, rsc CC=golang-dev https://golang.org/cl/5262041
This issue was closed.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
by dacc@exaptic.com:
What steps will reproduce the problem? 1. Attempt to retrieve a document from an https location using e.g. http.Get("https://google.com/";) What is the expected output? Success. What do you see instead? Error with "bad certificate". What is your $GOOS? $GOARCH? darwin / i386 Which revision are you using? (hg identify) db904d88dc0e+ tip Please provide any additional information below. This is caused by missing CA certificates. In src/pkg/crypt/tls/common.go the default config looks for curl's root CA bundle at these locations: <pre> var certFiles = []string{ "/etc/ssl/certs/ca-certificates.crt", // Linux etc "/usr/share/curl/curl-ca-bundle.crt", // OS X } </pre> On the two OS 10.6 systems I checked the second location didn't exist. In fact, I couldn't find this file anywhere after trying the following: <pre> {dan@godel /}$ mdfind curl-ca-bundle.crt|grep -v '^/opt' /Users/dan/src/golang/src/pkg/crypto/tls/common.go {dan@godel /}$ curl-config --ca {dan@godel /}$ </pre> Curl can still retrieve HTTPS URLs. I patched my common.m to look for the MacPorts version of this file: <pre> {dan@godel ~/src/golang}$ hg diff diff -r db904d88dc0e src/pkg/crypto/tls/common.go --- a/src/pkg/crypto/tls/common.go Fri Jul 30 14:48:30 2010 +1000 +++ b/src/pkg/crypto/tls/common.go Sun Aug 08 01:47:51 2010 -0700 @@ -138,7 +138,8 @@ // the same root set that curl uses. var certFiles = []string{ "/etc/ssl/certs/ca-certificates.crt", // Linux etc - "/usr/share/curl/curl-ca-bundle.crt", // OS X + "/usr/share/curl/curl-ca-bundle.crt", // OS X (<= 10.5?) + "/opt/local/share/curl/curl-ca-bundle.crt", // OS X (MacPorts) } func initDefaultConfig() { {dan@godel ~/src/golang}$ </pre>The text was updated successfully, but these errors were encountered: