Skip to content

crypto/x509: FreeBSD CA roots order fix #14022

Closed
@lifeforms

Description

@lifeforms

In Go 1.5, the CA root certificate store search order was changed for BSD systems:

  • Go 1.4 programs would look for /etc/ssl/cert.pem before trying /usr/local/share/certs/ca-root-nss.crt. (source)
  • Go 1.5 programs will try /usr/local/share/certs/ca-root-nss.crt first, before looking for /etc/ssl/cert.pem. (source)

Looking at FreeBSD itself, libfetch (used by FreeBSD core) appears to try the SSL_CA_CERT_FILE environment variable first, then /usr/local/etc/ssl/cert.pem, then /etc/ssl/cert.pem. (source) This might be considered the canonical way to determine the location for the trust store on FreeBSD.

In FreeBSD, the location /usr/local/share/certs/ca-root-nss.crt is not special or blessed, but it's an implementation detail of the ca_root_nss package (Root certificate bundle from the Mozilla Project). Almost all users will have this package installed, and due to the ca_root_nss package's ETCSYMLINK option, their /etc/ssl/cert.pem will be symlinked, in which case the lookup order does not matter.

My issue with Go 1.5 happens because I deploy my own trust store to /etc/ssl/cert.pem.

If the ca_root_nss package happens to be installed, Go 1.5 picks up the ca_root_nss package's file /usr/local/share/certs/ca-root-nss.crt and no longer looks at the global /etc/ssl/cert.pem.

My build boxes have the Mozilla roots ca_root_nss package installed (to incorporate a modified version of it in our own trust store). On these machines, Go 1.5 programs prefer ca-root-nss.crt and use only the Mozilla roots, failing to verify servers using the global roots.

Due to fate, the search order in Go 1.4 (source) seems to have been more correct, as /etc/ssl/cert.pem was tried first, even if it was marked only as for OpenBSD.

However, since most people will just plainly use the Mozilla CA roots as their global roots file, this issue is probably rare.

I would recommend to duplicate the search order of FreeBSD's libfetch (source) in /src/crypto/x509/root_bsd.go.

The current list is:

var certFiles = []string{
    "/usr/local/share/certs/ca-root-nss.crt", // FreeBSD/DragonFly
    "/etc/ssl/cert.pem",                      // OpenBSD
    "/etc/openssl/certs/ca-certificates.crt", // NetBSD
}

To prefer the system roots and mimic the behavior of libfetch, while keeping compatibility with the other OSes, the entries could become:

var certFiles = []string{
    "/usr/local/etc/ssl/cert.pem",            // FreeBSD
    "/etc/ssl/cert.pem",                      // FreeBSD/OpenBSD
    "/usr/local/share/certs/ca-root-nss.crt", // DragonFly
    "/etc/openssl/certs/ca-certificates.crt", // NetBSD
}

Go version: go version go1.5.3 freebsd/amd64

Activity

minux

minux commented on Jan 19, 2016

@minux
Member
ianlancetaylor

ianlancetaylor commented on Jan 19, 2016

@ianlancetaylor
Contributor

Since this is the first complaint I've seen about 1.5, and we are frozen as we can be for 1.6, I'm pushing this back until 1.7.

lifeforms

lifeforms commented on Jan 20, 2016

@lifeforms
Author

That sounds great, good luck with the freeze!

As for environment variables, FreeBSD just brought its libfetch in order with OpenSSL convention of checking SSL_CA_CERT_FILE and SSL_CA_CERT_PATH. I imagine it would be pretty cool if Go programs would do the same, though the change would be a bit bigger.

gopherbot

gopherbot commented on Mar 5, 2016

@gopherbot
Contributor

CL https://golang.org/cl/20253 mentions this issue.

self-assigned this
on Mar 10, 2016
rsc

rsc commented on May 18, 2016

@rsc
Contributor

We should make sure to get to this early in Go 1.8.

modified the milestones: Go1.8, Go1.7 on May 18, 2016
added
NeedsFixThe path to resolution is known, but the work has not been done.
on Oct 5, 2016
modified the milestones: Go1.9Early, Go1.8 on Nov 3, 2016
gopherbot

gopherbot commented on Feb 2, 2017

@gopherbot
Contributor

CL https://golang.org/cl/36093 mentions this issue.

modified the milestones: Go1.9, Go1.9Early on May 3, 2017
locked and limited conversation to collaborators on May 3, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.OS-FreeBSD

    Type

    No type

    Projects

    No projects

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @bradfitz@agl@mikioh@rsc@quentinmit

        Issue actions

          crypto/x509: FreeBSD CA roots order fix · Issue #14022 · golang/go