Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
crypto/x509: Go 1.8's SystemCertPool() on Windows does not return all Windows root CAs #18609
I believe that Go 1.8's implementation of SystemCertPool on Windows can give some surprising results.
The reason is that Windows doesn't ship with all of its root certificates installed. Instead, it downloads them on-demand.
(See the original implementation of systemVerify on Windows:a324a5a)
This means that there's a difference between what crypto/x509 will verify as OK on Windows with a default VerifyOptions (which uses the systemVerify() function - and will automatically fetch missing root CAs), and attempting to use the SystemCertPool() as the root store in VerifyOptions yourself.
I'm not sure what to do here. Maybe a note in the SystemCertPool docs about the Windows situation is sufficient?
But surely that impacts the usability of
I think it's somewhat dangerous: previously, SystemCertPool() would return an error because the intended functionality couldn't be properly implemented on Windows. Now, it returns a subset of the Windows cert pool that that machine has visited before.
Programs that were aware of SystemCertPool returning an error on Windows might keep working.
It is same that UNIX code use the files /etc/ssl/ca-bundle.pem. If the administrator doesn't update ca-bundle, it may be obsolete certificates.
But that isn't the problem.
The problem is that
So that means the the behavior of something like:
will return a different "truth" than
which to me is very unexpected.
@mkrautz I agree that SystemCertPool on Windows could return misleading results. I do not see technical way to improve the situation - as you have explained above it just the way Windows works.
But (I am not security expert), I think other OSes would have similar problems. What about "certificate revocation lists"? Is SystemCertPool takes "certificate revocation lists" into account? Maybe something similar.
We should, probably, document SystemCertPool on Windows shortcomings.
Updates #18609 Change-Id: I8306135660f52cf625bed4c7f53f632e527617de Reviewed-on: https://go-review.googlesource.com/35265 Run-TryBot: Brad Fitzpatrick <email@example.com> TryBot-Result: Gobot Gobot <firstname.lastname@example.org> Reviewed-by: Russ Cox <email@example.com> Reviewed-by: Quentin Smith <firstname.lastname@example.org>