From owner-freebsd-questions@freebsd.org Thu Sep 24 16:29:13 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4F32EA05491 for ; Thu, 24 Sep 2015 16:29:13 +0000 (UTC) (envelope-from freebsd@spam.lifeforms.nl) Received: from tau.lfms.nl (tau.lfms.nl [IPv6:2a00:f320:0:3::30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D64361A86 for ; Thu, 24 Sep 2015 16:29:12 +0000 (UTC) (envelope-from freebsd@spam.lifeforms.nl) Received: from sim.dt.lfms.nl (dt.lfms.nl [83.84.0.54]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by tau.lfms.nl (Postfix) with ESMTPS id A3BA7892CC for ; Thu, 24 Sep 2015 18:29:00 +0200 (CEST) Received: from borax.dt.lfms.nl (borax.dt.lfms.nl [IPv6:2001:1af8:fe00:8414::112]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sim.dt.lfms.nl (Postfix) with ESMTPS id 6FF7A9C09099 for ; Thu, 24 Sep 2015 18:29:00 +0200 (CEST) From: Walter Hop Subject: Where should a FreeBSD program look for root certificates? Message-Id: <7D343A15-FC7A-4250-A5B8-4A6C35E3D4FC@spam.lifeforms.nl> Date: Thu, 24 Sep 2015 18:29:00 +0200 To: freebsd-questions@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) X-Mailer: Apple Mail (2.2104) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Sep 2015 16:29:13 -0000 Hi, I've been sorting out a problem with my Go program (a HTTPS client) on = FreeBSD since the upgrade to Go 1.5. It turns out that Go changed its search order in which it looks for root = certificates. Go 1.4 programs would look for /etc/ssl/cert.pem, before trying = /usr/local/share/certs/ca-root-nss.crt [1]. Go 1.5 programs will try /usr/local/share/certs/ca-root-nss.crt first, = and then /etc/ssl/cert.pem [2]. This created an issue for me, as I always assumed that /etc/ssl/cert.pem = is more or less the 'official' location for root certificates in = FreeBSD, so I deploy my private CA root there. But since Go 1.5, Go programs will ignore /etc/ssl/cert.pem if the = ca_root_nss package is present, due to the change in search order. = Therefore my private certificates don=E2=80=99t validate. Is there an official position where FreeBSD programs should look for = this certificate store? I'm considering to open a Go bug to move /etc/ssl/cert.pem higher in the = search order, on the basis of: - Not only OpenBSD, but also FreeBSD uses /etc/ssl/cert.pem - FreeBSD core components, such as libfetch, use /etc/ssl/cert.pem [3] - The location of the ca_root_nss file is an implementation detail of = the package and should not override the core location After seeing libfetch source, I guess it would be a good thing to try = /usr/local/etc/ssl/cert.pem too. However, maybe I'm wrong, maybe /etc/ssl/cert.pem is not 'special' or = sanctioned, and there are good reasons to prefer = /usr/local/share/certs/ca-root-nss.crt which I am not realizing. What do you think Go (or other programs for that matter) should do? Thanks! WH References: 1. = https://github.com/golang/go/blob/release-branch.go1.4/src/crypto/x509/roo= t_unix.go#L16 2. = https://github.com/golang/go/blob/release-branch.go1.5/src/crypto/x509/roo= t_bsd.go#L11 3. = https://github.com/freebsd/freebsd/blob/master/lib/libfetch/common.c#L694 --=20 Walter Hop | PGP key: https://lifeforms.nl/pgp