Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
crypto/x509: FreeBSD CA roots order fix #14022
In Go 1.5, the CA root certificate store search order was changed for BSD systems:
Looking at FreeBSD itself, libfetch (used by FreeBSD core) appears to try the SSL_CA_CERT_FILE environment variable first, then
In FreeBSD, the location
My issue with Go 1.5 happens because I deploy my own trust store to
If the ca_root_nss package happens to be installed, Go 1.5 picks up the ca_root_nss package's file
My build boxes have the Mozilla roots ca_root_nss package installed (to incorporate a modified version of it in our own trust store). On these machines, Go 1.5 programs prefer
Due to fate, the search order in Go 1.4 (source) seems to have been more correct, as
However, since most people will just plainly use the Mozilla CA roots as their global roots file, this issue is probably rare.
I would recommend to duplicate the search order of FreeBSD's libfetch (source) in /src/crypto/x509/root_bsd.go.
The current list is:
To prefer the system roots and mimic the behavior of libfetch, while keeping compatibility with the other OSes, the entries could become:
That sounds great, good luck with the freeze!
As for environment variables, FreeBSD just brought its libfetch in order with OpenSSL convention of checking SSL_CA_CERT_FILE and SSL_CA_CERT_PATH. I imagine it would be pretty cool if Go programs would do the same, though the change would be a bit bigger.