Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: make SystemCertPool work on Windows? #16736

Closed
bradfitz opened this issue Aug 16, 2016 · 26 comments
Closed

crypto/x509: make SystemCertPool work on Windows? #16736

bradfitz opened this issue Aug 16, 2016 · 26 comments
Labels
FrozenDueToAge help wanted NeedsFix The path to resolution is known, but the work has not been done. OS-Windows
Milestone
Unplanned

Comments

@bradfitz
Copy link
Contributor

https://golang.org/pkg/crypto/x509/#SystemCertPool doesn't work on Windows:

    func SystemCertPool() (*CertPool, error) {
        if runtime.GOOS == "windows" {
            return nil, errors.New("crypto/x509: system root pool is not available on Windows")
        }
        ....

I checked it in with the commit message "SystemCertPool returns an error on Windows. Maybe it's fixable later." (a62ae9f, golang.org/cl/21293, #13335)

This bug is about fixing it.

/cc @alexbrainman
@bradfitz bradfitz added this to the Go1.8Maybe milestone Aug 16, 2016
@alexbrainman
Copy link
Member

I really don't know, I am not security expert. But I think you want to open LocalMachine\root (or maybe CurrentUser\root) certificate store, and read all certificates there with CertEnumCertificatesInStore or similar. What do you think?

Alex

@bradfitz
Copy link
Contributor Author

Sounds plausible.

I don't think this requires a security expert as much as somebody who can read MSDN docs.

@gopherbot
Copy link
Contributor

CL https://golang.org/cl/30578 mentions this issue.

@quentinmit quentinmit added the NeedsFix The path to resolution is known, but the work has not been done. label Oct 10, 2016
@dmcgowan dmcgowan mentioned this issue Nov 2, 2016
Merged
mariash pushed a commit to vmware-archive/fly that referenced this issue Nov 21, 2016
@pivotal-ahirji @mariash
only append to system cert pool on non-windows os
6348c48 
SystemCertPool is not supported on windows in go 1.7.
see golang/go#16736
Once 1.8 is released we can remove special condition and always append
to system cert pool.

[#133304007]

Signed-off-by: Maria Shaldibina <[email protected]>
@ALTree ALTree mentioned this issue Jan 11, 2017
Closed
This was referenced Jan 24, 2017
Closed
Closed
@jeffallen
Copy link
Contributor

Note: This change was rolled back in #18609. SystemCertPool on Windows on Go 1.8 still returns nil. @bradfitz Maybe you could re-open this and remove the go1.8maybe tag on it? Thanks.

@alexbrainman alexbrainman modified the milestones: Go1.9, Go1.8Maybe Feb 14, 2017
@alexbrainman alexbrainman reopened this Feb 14, 2017
@alexbrainman
Copy link
Member

@jeffallen Done.

Alex

@Neelerak Neelerak mentioned this issue Feb 28, 2017
Closed
@fawick fawick mentioned this issue Mar 1, 2017
Closed
@Neelerak Neelerak mentioned this issue Mar 1, 2017
Closed
@cyli cyli mentioned this issue Mar 14, 2017
Merged
@marcintao marcintao mentioned this issue Apr 20, 2017
Closed
@dscho dscho mentioned this issue May 19, 2017
Open
@bradfitz bradfitz modified the milestones: Go1.10, Go1.9 Jun 7, 2017
@nussjustin nussjustin mentioned this issue Aug 13, 2017
Closed
@rsc rsc modified the milestones: Go1.10, Go1.11 Nov 22, 2017
@felixbecker
Copy link

Hi, came from this issue #18609 and try to understand what can help. Maybe as an look over the fence this is how dotnetcore address this (https://github.com/dotnet/corefx/tree/master/src/System.Security.Cryptography.X509Certificates/src/System/Security/Cryptography/X509Certificates). Just trying to get a better understanding what fails and what could help.

@FiloSottile FiloSottile mentioned this issue May 20, 2021
Closed
@barryib barryib mentioned this issue May 22, 2021
Merged
This was referenced Jul 5, 2021
Closed
Closed
@danielorbach
Copy link

I have encountered the lack of support for this function on Windows, and would like to help resolve it :)

@siennathesane
Copy link

I have encountered the lack of support for this function on Windows, and would like to help resolve it :)

@danielorbach, try this: #16736 (comment)

@dhowden dhowden mentioned this issue Sep 6, 2021
Merged
@nitaliya nitaliya mentioned this issue Sep 14, 2021
Merged
@praveenkumar praveenkumar mentioned this issue Sep 28, 2021
Closed
praveenkumar added a commit to praveenkumar/proxy that referenced this issue Sep 28, 2021
@praveenkumar
System root pool is not available for windows
79880a2 
As per https://golang.org/src/crypto/x509/cert_pool.go looks like there
is no implementation of  `SystemCertPool` for windows platform and it
just return the error.
```
func SystemCertPool() (*CertPool, error) {
	if runtime.GOOS == "windows" {
		// Issue 16736, 18609:
		return nil, errors.New("crypto/x509: system root pool is
not available on Windows")
	}
....
```

- golang/go#16736
- golang/go#46287
cfergeau added a commit to cfergeau/crc that referenced this issue Sep 28, 2021
@cfergeau
proxy: Add fallback to x509.NewCertPool() on Windows
8f0aacc 
On Windows, x509.SystemCertPool returns an error:
golang/go#16736

This commit reverts to the behaviour before commit b50dc99 when catching
such an error. This means https_proxy=https://... will be broken for
non-mitm https proxies. Such proxies were not usable before the PR
adding b50dc99, so this should not have much impact for our existing
users.

These CAs are used:
- when accessing telemetry
- when checking for a new crc version
- when downloading binaries (only happens with git builds)
cfergeau added a commit to cfergeau/crc that referenced this issue Sep 28, 2021
@cfergeau
proxy: Add fallback to x509.NewCertPool() on Windows
2606490 
On Windows, x509.SystemCertPool returns an error:
golang/go#16736

This commit reverts to the behaviour before commit b50dc99 when catching
such an error. This means https_proxy=https://... will be broken for
non-mitm https proxies. Such proxies were not usable before the PR
adding b50dc99, so this should not have much impact for our existing
users.

These CAs are used:
- when accessing telemetry
- when checking for a new crc version
- when downloading binaries (only happens with git builds)
@cfergeau cfergeau mentioned this issue Sep 28, 2021
Merged
cfergeau added a commit to cfergeau/crc that referenced this issue Sep 28, 2021
@cfergeau
proxy: Add fallback to x509.NewCertPool() on Windows
e8735a3 
On Windows, x509.SystemCertPool returns an error:
golang/go#16736

This commit reverts to the behaviour before commit b50dc99 when catching
such an error. This means https_proxy=https://... will be broken for
non-mitm https proxies. Such proxies were not usable before the PR
adding b50dc99, so this should not have much impact for our existing
users.

These CAs are used:
- when accessing telemetry
- when checking for a new crc version
- when downloading binaries (only happens with git builds)

This fixes crc-org#2770
cfergeau added a commit to cfergeau/crc that referenced this issue Sep 28, 2021
@cfergeau
proxy: Add fallback to x509.NewCertPool() on Windows
c87289d 
On Windows, x509.SystemCertPool returns an error:
golang/go#16736

This commit reverts to the behaviour before commit b50dc99 when catching
such an error. This means https_proxy=https://... will be broken for
non-mitm https proxies. Such proxies were not usable before the PR
adding b50dc99, so this should not have much impact for our existing
users.

These CAs are used:
- when accessing telemetry
- when checking for a new crc version
- when downloading binaries (only happens with git builds)

This fixes crc-org#2770
praveenkumar pushed a commit to crc-org/crc that referenced this issue Sep 29, 2021
@cfergeau @praveenkumar
proxy: Add fallback to x509.NewCertPool() on Windows
f5a9809 
On Windows, x509.SystemCertPool returns an error:
golang/go#16736

This commit reverts to the behaviour before commit b50dc99 when catching
such an error. This means https_proxy=https://... will be broken for
non-mitm https proxies. Such proxies were not usable before the PR
adding b50dc99, so this should not have much impact for our existing
users.

These CAs are used:
- when accessing telemetry
- when checking for a new crc version
- when downloading binaries (only happens with git builds)

This fixes #2770
@jzelinskie jzelinskie mentioned this issue Oct 19, 2021
Closed
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/353589 mentions this issue: crypto/x509: verification with system and custom roots

@placaze placaze mentioned this issue Nov 14, 2021
Closed
@fundthmcalculus fundthmcalculus mentioned this issue Dec 9, 2021
Merged
@tim775 tim775 mentioned this issue Dec 31, 2021
Closed
@dims dims mentioned this issue Apr 15, 2022
Closed
This was referenced May 4, 2022
Closed
Merged
@rosskirkpat rosskirkpat mentioned this issue May 11, 2022
Closed
@gboyvalenkov-bosch gboyvalenkov-bosch mentioned this issue Aug 8, 2022
Closed
@golang golang locked and limited conversation to collaborators Nov 6, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge help wanted NeedsFix The path to resolution is known, but the work has not been done. OS-Windows
Projects
None yet
Milestone
Unplanned
Development

Successfully merging a pull request may close this issue.

crypto/x509: make SystemCertPool work on Windows jeet-parekh/go
17 participants
@bradfitz @tommed @rsc @quentinmit @sssilver @rasky @jeffallen @docsmooth @rolandshoemaker @felixbecker @siennathesane @gopherbot @alexbrainman @jeet-parekh @elagergren-spideroak @danielorbach and others