crypto/x509: stop looking at first root store #38869

FiloSottile · 2020-05-05T04:47:47Z

For some reason, when looking for a CA root store on UNIX we stop at the first good file, still look at directories, and not stop at the first good directory. On most systems the file, if it exists, is a bundling of the roots in the directory, and the directories are for different systems, not for combining.

We should probably make the function exit sooner.

gopherbot · 2020-05-16T03:04:07Z

Change https://golang.org/cl/234257 mentions this issue: crypto/x509: rework how system roots are loaded on unix systems

FiloSottile · 2020-10-05T17:49:38Z

Like #39540, let's give crypto/x509 a rest in Go 1.16.

dmitshur · 2021-05-21T18:52:35Z

There's only a week until target date for 1.17 beta 1. I'll move this to Backlog since it doesn't seem someone is actively working on getting this in, but please update the issue if needed.

FiloSottile added the NeedsFix label May 5, 2020

FiloSottile added this to the Backlog milestone May 5, 2020

FiloSottile removed this from the Backlog milestone Oct 5, 2020

FiloSottile added this to the Go1.17 milestone Oct 5, 2020

FiloSottile mentioned this issue May 20, 2021

crypto/x509: use platform verifier on Windows, macOS and iOS #46287

Closed

dmitshur removed this from the Go1.17 milestone May 21, 2021

dmitshur added this to the Backlog milestone May 21, 2021

crypto/x509: stop looking at first root store #38869

crypto/x509: stop looking at first root store #38869

FiloSottile commented May 5, 2020

gopherbot commented May 16, 2020

FiloSottile commented Oct 5, 2020

dmitshur commented May 21, 2021

crypto/x509: stop looking at first root store #38869

crypto/x509: stop looking at first root store #38869

Comments

FiloSottile commented May 5, 2020

gopherbot commented May 16, 2020

FiloSottile commented Oct 5, 2020

dmitshur commented May 21, 2021