Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: FreeBSD CA roots order fix #14022

Closed
lifeforms opened this issue Jan 19, 2016 · 6 comments
Closed

crypto/x509: FreeBSD CA roots order fix #14022

lifeforms opened this issue Jan 19, 2016 · 6 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. OS-FreeBSD
Milestone
Go1.9

Comments

@lifeforms
Copy link

In Go 1.5, the CA root certificate store search order was changed for BSD systems:

  • Go 1.4 programs would look for /etc/ssl/cert.pem before trying /usr/local/share/certs/ca-root-nss.crt. (source)
  • Go 1.5 programs will try /usr/local/share/certs/ca-root-nss.crt first, before looking for /etc/ssl/cert.pem. (source)

Looking at FreeBSD itself, libfetch (used by FreeBSD core) appears to try the SSL_CA_CERT_FILE environment variable first, then /usr/local/etc/ssl/cert.pem, then /etc/ssl/cert.pem. (source) This might be considered the canonical way to determine the location for the trust store on FreeBSD.

In FreeBSD, the location /usr/local/share/certs/ca-root-nss.crt is not special or blessed, but it's an implementation detail of the ca_root_nss package (Root certificate bundle from the Mozilla Project). Almost all users will have this package installed, and due to the ca_root_nss package's ETCSYMLINK option, their /etc/ssl/cert.pem will be symlinked, in which case the lookup order does not matter.

My issue with Go 1.5 happens because I deploy my own trust store to /etc/ssl/cert.pem.

If the ca_root_nss package happens to be installed, Go 1.5 picks up the ca_root_nss package's file /usr/local/share/certs/ca-root-nss.crt and no longer looks at the global /etc/ssl/cert.pem.

My build boxes have the Mozilla roots ca_root_nss package installed (to incorporate a modified version of it in our own trust store). On these machines, Go 1.5 programs prefer ca-root-nss.crt and use only the Mozilla roots, failing to verify servers using the global roots.

Due to fate, the search order in Go 1.4 (source) seems to have been more correct, as /etc/ssl/cert.pem was tried first, even if it was marked only as for OpenBSD.

However, since most people will just plainly use the Mozilla CA roots as their global roots file, this issue is probably rare.

I would recommend to duplicate the search order of FreeBSD's libfetch (source) in /src/crypto/x509/root_bsd.go.

The current list is:

var certFiles = []string{
    "/usr/local/share/certs/ca-root-nss.crt", // FreeBSD/DragonFly
    "/etc/ssl/cert.pem",                      // OpenBSD
    "/etc/openssl/certs/ca-certificates.crt", // NetBSD
}

To prefer the system roots and mimic the behavior of libfetch, while keeping compatibility with the other OSes, the entries could become:

var certFiles = []string{
    "/usr/local/etc/ssl/cert.pem",            // FreeBSD
    "/etc/ssl/cert.pem",                      // FreeBSD/OpenBSD
    "/usr/local/share/certs/ca-root-nss.crt", // DragonFly
    "/etc/openssl/certs/ca-certificates.crt", // NetBSD
}

Go version: go version go1.5.3 freebsd/amd64
@minux
Copy link
Member

minux commented Jan 19, 2016 via email

@ianlancetaylor ianlancetaylor modified the milestones: Go1.6Maybe, Go1.7 Jan 19, 2016
@ianlancetaylor
Copy link
Contributor

Since this is the first complaint I've seen about 1.5, and we are frozen as we can be for 1.6, I'm pushing this back until 1.7.

@lifeforms
Copy link
Author

That sounds great, good luck with the freeze!

As for environment variables, FreeBSD just brought its libfetch in order with OpenSSL convention of checking SSL_CA_CERT_FILE and SSL_CA_CERT_PATH. I imagine it would be pretty cool if Go programs would do the same, though the change would be a bit bigger.

@mwielgoszewski mwielgoszewski mentioned this issue Feb 26, 2016
Closed
@gopherbot
Copy link

CL https://golang.org/cl/20253 mentions this issue.

@agl agl self-assigned this Mar 10, 2016
@rsc
Copy link
Contributor

rsc commented May 18, 2016

We should make sure to get to this early in Go 1.8.

@rsc rsc modified the milestones: Go1.8, Go1.7 May 18, 2016
@bradfitz bradfitz mentioned this issue May 19, 2016
Closed
@quentinmit quentinmit added the NeedsFix The path to resolution is known, but the work has not been done. label Oct 5, 2016
@rsc rsc modified the milestones: Go1.9Early, Go1.8 Nov 3, 2016
@gopherbot
Copy link

CL https://golang.org/cl/36093 mentions this issue.

@bradfitz bradfitz modified the milestones: Go1.9, Go1.9Early May 3, 2017
@golang golang locked and limited conversation to collaborators May 3, 2018
@rsc rsc unassigned agl Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. OS-FreeBSD
Projects
None yet
Milestone
Go1.9
Development

No branches or pull requests
9 participants
@bradfitz @agl @mikioh @rsc @quentinmit @minux @ianlancetaylor @lifeforms @gopherbot