Zig only reads CA Certificates from SystemRootCertificates.keychain and not from System.keychain #22700
Comments
dreilly1982
added
the
bug
|
I only mentioned zig fetch in the initial issue as this is where I found the issue, and the fetch command doesn't currently have any apparent way to pass the arguments to ignore TLS verification. This is a show stopper for anyone using Zig on machines where their traffic is forced through intercept proxies on MacOS. |
|
Just ran into this issue myself. Found #15681 which seems like the correct way to address this situation. |
|
Thank you for referencing that, it had not come up in my search through issues. The approach I went with in my PR was to also look in System.keychain for valid trusted certs. My thought is if it is in System.keychain then at least an administrator on the system installed it. This could be easily expanded to user keychains, and I feel that would be the appropriate way to add trusted certificates on MacOS. As for an ignore TLS flag, it looks simple enough to implement, but that wasn't my intent in this particular issue. |
Zig Version
0.14.0-dev.2989+bf6ee7cb3
Steps to Reproduce and Observed Behavior
run
zig fetch <url>returnserror: unable to connect to server: TlsInitializationFailedthis is due to a TLS intercept using a coporate signed TLS certificate.Expected Behavior
I am very sure that this was intended as written, however many organizations use TLS intercept on their devices. Allowing to read certificates from both
/System/Library/Keychains/SystemRootCertificates.keychainas well as/Library/Keychains/System.keychainwould allow trusted intercept certificates to be installed in the System keychain, and still be trusted for actions such as "zig build fetch".The text was updated successfully, but these errors were encountered: