Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
proposal: crypto/x509: add functions to download certificates from windows update, and retrieve certificates from windows x509stores #26950
The missing certificates can be downloaded from windows update using
We could retrieve the certificates from windows update and all of the above locations. Then remove the disallowed certificates from that entire collection. That way
I have been working on it - CL 127577. While working on it, I created two new functions. One would retrieve the certificates from any location mentioned in the MSDN docs -
I opened this proposal to welcome a discussion regarding whether or not we should export those two new functions to the standard library. The code would be there regardless. Because there are multiple certificate stores on Windows, these functions could provide the end user a bit more control if needed.
Sorry, but I didn't get that. Disable what? If you mean the way Windows downloads the certificates on demand... then no, there isn't a way to disable that.
I agree, blocking would not be ideal.
I think giving a way to enable/disable fetching certs from windows update would increase the complexity a bit. If we rely on an environment variable, the user would have to change it whenever their network status changes. Or whenever they want to enable/disable downloading certs from WU.
Instead, we could just return an error mentioning that certs were not downloaded from WU. I described a way to do it in the CL.