Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: FreeBSD CA roots order fix #14022

Closed
lifeforms opened this issue Jan 19, 2016 · 6 comments
Closed

crypto/x509: FreeBSD CA roots order fix #14022

lifeforms opened this issue Jan 19, 2016 · 6 comments
Assignees
Milestone

Comments

@lifeforms
Copy link

@lifeforms lifeforms commented Jan 19, 2016

In Go 1.5, the CA root certificate store search order was changed for BSD systems:

  • Go 1.4 programs would look for /etc/ssl/cert.pem before trying /usr/local/share/certs/ca-root-nss.crt. (source)
  • Go 1.5 programs will try /usr/local/share/certs/ca-root-nss.crt first, before looking for /etc/ssl/cert.pem. (source)

Looking at FreeBSD itself, libfetch (used by FreeBSD core) appears to try the SSL_CA_CERT_FILE environment variable first, then /usr/local/etc/ssl/cert.pem, then /etc/ssl/cert.pem. (source) This might be considered the canonical way to determine the location for the trust store on FreeBSD.

In FreeBSD, the location /usr/local/share/certs/ca-root-nss.crt is not special or blessed, but it's an implementation detail of the ca_root_nss package (Root certificate bundle from the Mozilla Project). Almost all users will have this package installed, and due to the ca_root_nss package's ETCSYMLINK option, their /etc/ssl/cert.pem will be symlinked, in which case the lookup order does not matter.

My issue with Go 1.5 happens because I deploy my own trust store to /etc/ssl/cert.pem.

If the ca_root_nss package happens to be installed, Go 1.5 picks up the ca_root_nss package's file /usr/local/share/certs/ca-root-nss.crt and no longer looks at the global /etc/ssl/cert.pem.

My build boxes have the Mozilla roots ca_root_nss package installed (to incorporate a modified version of it in our own trust store). On these machines, Go 1.5 programs prefer ca-root-nss.crt and use only the Mozilla roots, failing to verify servers using the global roots.

Due to fate, the search order in Go 1.4 (source) seems to have been more correct, as /etc/ssl/cert.pem was tried first, even if it was marked only as for OpenBSD.

However, since most people will just plainly use the Mozilla CA roots as their global roots file, this issue is probably rare.

I would recommend to duplicate the search order of FreeBSD's libfetch (source) in /src/crypto/x509/root_bsd.go.

The current list is:

var certFiles = []string{
    "/usr/local/share/certs/ca-root-nss.crt", // FreeBSD/DragonFly
    "/etc/ssl/cert.pem",                      // OpenBSD
    "/etc/openssl/certs/ca-certificates.crt", // NetBSD
}

To prefer the system roots and mimic the behavior of libfetch, while keeping compatibility with the other OSes, the entries could become:

var certFiles = []string{
    "/usr/local/etc/ssl/cert.pem",            // FreeBSD
    "/etc/ssl/cert.pem",                      // FreeBSD/OpenBSD
    "/usr/local/share/certs/ca-root-nss.crt", // DragonFly
    "/etc/openssl/certs/ca-certificates.crt", // NetBSD
}

Go version: go version go1.5.3 freebsd/amd64

@minux
Copy link
Member

@minux minux commented Jan 19, 2016

@ianlancetaylor ianlancetaylor modified the milestones: Go1.6Maybe, Go1.7 Jan 19, 2016
@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Jan 19, 2016

Since this is the first complaint I've seen about 1.5, and we are frozen as we can be for 1.6, I'm pushing this back until 1.7.

@lifeforms
Copy link
Author

@lifeforms lifeforms commented Jan 20, 2016

That sounds great, good luck with the freeze!

As for environment variables, FreeBSD just brought its libfetch in order with OpenSSL convention of checking SSL_CA_CERT_FILE and SSL_CA_CERT_PATH. I imagine it would be pretty cool if Go programs would do the same, though the change would be a bit bigger.

@gopherbot
Copy link

@gopherbot gopherbot commented Mar 5, 2016

CL https://golang.org/cl/20253 mentions this issue.

@agl agl self-assigned this Mar 10, 2016
@rsc
Copy link
Contributor

@rsc rsc commented May 18, 2016

We should make sure to get to this early in Go 1.8.

@gopherbot
Copy link

@gopherbot gopherbot commented Feb 2, 2017

CL https://golang.org/cl/36093 mentions this issue.

@bradfitz bradfitz modified the milestones: Go1.9, Go1.9Early May 3, 2017
@gopherbot gopherbot closed this in e83bcd9 May 3, 2017
@golang golang locked and limited conversation to collaborators May 3, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
9 participants
You can’t perform that action at this time.