Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: fetch root certificates using Mac OS API #1009

gopherbot opened this issue Aug 8, 2010 · 5 comments

crypto/tls: fetch root certificates using Mac OS API #1009

gopherbot opened this issue Aug 8, 2010 · 5 comments


Copy link


What steps will reproduce the problem?
1. Attempt to retrieve a document from an https location using e.g.

What is the expected output?

What do you see instead?
Error with "bad certificate".

What is your $GOOS?  $GOARCH?
darwin / i386

Which revision are you using?  (hg identify)
db904d88dc0e+ tip

Please provide any additional information below.

This is caused by missing CA certificates.  In src/pkg/crypt/tls/common.go the default
config looks for curl's root CA bundle at these locations:

var certFiles = []string{
    "/etc/ssl/certs/ca-certificates.crt", // Linux etc
    "/usr/share/curl/curl-ca-bundle.crt", // OS X

On the two OS 10.6 systems I checked the second location didn't exist.  In fact, I
couldn't find this file anywhere after trying the following:


{dan@godel /}$ mdfind curl-ca-bundle.crt|grep -v '^/opt'
{dan@godel /}$ curl-config --ca                         

{dan@godel /}$ 

Curl can still retrieve HTTPS URLs.  I patched my common.m to look for the MacPorts
version of this file:


{dan@godel ~/src/golang}$ hg diff
diff -r db904d88dc0e src/pkg/crypto/tls/common.go
--- a/src/pkg/crypto/tls/common.go  Fri Jul 30 14:48:30 2010 +1000
+++ b/src/pkg/crypto/tls/common.go  Sun Aug 08 01:47:51 2010 -0700
@@ -138,7 +138,8 @@
 // the same root set that curl uses.
 var certFiles = []string{
    "/etc/ssl/certs/ca-certificates.crt", // Linux etc
-   "/usr/share/curl/curl-ca-bundle.crt", // OS X
+   "/usr/share/curl/curl-ca-bundle.crt", // OS X (<= 10.5?)
+   "/opt/local/share/curl/curl-ca-bundle.crt", // OS X (MacPorts)
 func initDefaultConfig() {
{dan@godel ~/src/golang}$ 
Copy link

rsc commented Aug 12, 2010

Comment 1:

What about people who don't have MacPorts?
This is a known issue - there's a TODO to that
effect in the source code.  My plan is to revise the
networking code so that it can use host services
and ask OS X for the root set or to validate the certificate.

Owner changed to

Status changed to Accepted.

Copy link

Comment 2 by

Yeah, my patch is admittedly a hack -- just thought I'd mention what I did to work
around the problem.
Should there be tickets in here for TODOs like this in the code, or is that overkill?

Copy link

rsc commented Aug 23, 2010

Comment 3:

Many TODOs in the code are not critical.
This one is, but the plan is still to revise
the networking code, possibly this week.

Copy link

rsc commented Oct 6, 2011

Comment 4:

The networking code now uses cgo, so it is time to fix this for real.
The fix is to add new root_darwin.go, root_unix.go, and root_stub.go
files to crypto/tls, all implementing initDefaultRoots().
The root_stub.go implementation would do nothing;
root_darwin.go would call SecTrustCopyAnchorCertificates [1],
root_unix.go would do the file reading currently in common.go.
We will eventually want a root_windows.go too.

Labels changed: added os-macosx.

Status changed to HelpWanted.

Copy link

rsc commented Oct 13, 2011

Comment 5:

This issue was closed by revision 38fb09b.

Status changed to Fixed.

@golang golang locked and limited conversation to collaborators Jun 24, 2016
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
@rsc rsc removed their assignment Jun 22, 2022
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet

No branches or pull requests

2 participants