proposal: crypto/x509: add functions to download certificates from windows update, and retrieve certificates from windows x509stores #26950
Comments
|
@gopherbot, please add label OS-Windows |
rasky
added
the
Proposal-Crypto
|
Should there be an environment variable to disable this? What if the network is down/slow? |
Sorry, but I didn't get that. Disable what? If you mean the way Windows downloads the certificates on demand... then no, there isn't a way to disable that.
|
|
If the network is slow that means What about environments without a network? Why can't we offer a way to disable this? |
|
I agree, blocking would not be ideal. I think giving a way to enable/disable fetching certs from windows update would increase the complexity a bit. If we rely on an environment variable, the user would have to change it whenever their network status changes. Or whenever they want to enable/disable downloading certs from WU. Instead, we could just return an error mentioning that certs were not downloaded from WU. I described a way to do it in the CL. |
|
/cc @FiloSottile |
|
This proposal has been added to the active column of the proposals project |
|
I had opened this proposal a long time ago. And honestly, I had forgotten about this. For my work, I remember I made a tool to fetch the windows certs whenever needed. It's been a long time since I last worked with Go. |
|
This issue is now pretty old, it hasn't gotten much additional enthusiasm that I see, and the original commenter no longer needs the functionality. It sounds like maybe we should decline this specific proposal until we have an ongoing need that we can use to evaluate solutions. |
|
Based on the discussion above, this proposal seems like a likely decline. |
|
No change in consensus, so declined. |
SystemCertPool()hasn't been working on Windows (#16736). That issue was fixed once. But since Windows does not ship with all of its root certificates installed, it caused some unexpected behavior (#18609).The missing certificates can be downloaded from windows update using
certutil.exepresent on Windows.There are also other multiple certificate stores on Windows. There are two store locations, and a bunch of stores in each location.
We could retrieve the certificates from windows update and all of the above locations. Then remove the disallowed certificates from that entire collection. That way
SystemCertPool()can be fixed.I have been working on it - CL 127577. While working on it, I created two new functions. One would retrieve the certificates from any location mentioned in the MSDN docs -
windows509Store(). And the other would download the certificates from windows update -downloadWUCerts().I opened this proposal to welcome a discussion regarding whether or not we should export those two new functions to the standard library. The code would be there regardless. Because there are multiple certificate stores on Windows, these functions could provide the end user a bit more control if needed.
The text was updated successfully, but these errors were encountered: