Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

crypto/x509: make SystemCertPool work on Windows? #16736

Closed
bradfitz opened this issue Aug 16, 2016 · 26 comments
Closed

crypto/x509: make SystemCertPool work on Windows? #16736

bradfitz opened this issue Aug 16, 2016 · 26 comments
Labels
FrozenDueToAge help wanted NeedsFix The path to resolution is known, but the work has not been done. OS-Windows
Milestone
Unplanned

Comments

@bradfitz
Copy link
Contributor

https://golang.org/pkg/crypto/x509/#SystemCertPool doesn't work on Windows:

    func SystemCertPool() (*CertPool, error) {
        if runtime.GOOS == "windows" {
            return nil, errors.New("crypto/x509: system root pool is not available on Windows")
        }
        ....

I checked it in with the commit message "SystemCertPool returns an error on Windows. Maybe it's fixable later." (a62ae9f, golang.org/cl/21293, #13335)

This bug is about fixing it.

/cc @alexbrainman
@bradfitz bradfitz added this to the Go1.8Maybe milestone Aug 16, 2016
@alexbrainman
Copy link
Member

I really don't know, I am not security expert. But I think you want to open LocalMachine\root (or maybe CurrentUser\root) certificate store, and read all certificates there with CertEnumCertificatesInStore or similar. What do you think?

Alex

@bradfitz
Copy link
Contributor Author

Sounds plausible.

I don't think this requires a security expert as much as somebody who can read MSDN docs.

@gopherbot
Copy link
Contributor

CL https://golang.org/cl/30578 mentions this issue.

@quentinmit quentinmit added the NeedsFix The path to resolution is known, but the work has not been done. label Oct 10, 2016
@dmcgowan dmcgowan mentioned this issue Nov 2, 2016
Merged
mariash pushed a commit to vmware-archive/fly that referenced this issue Nov 21, 2016
@pivotal-ahirji @mariash
only append to system cert pool on non-windows os
6348c48 
SystemCertPool is not supported on windows in go 1.7.
see golang/go#16736
Once 1.8 is released we can remove special condition and always append
to system cert pool.

[#133304007]

Signed-off-by: Maria Shaldibina <mshaldibina@pivotal.io>
@ALTree ALTree mentioned this issue Jan 11, 2017
Closed
This was referenced Jan 24, 2017
Closed
Closed
@jeffallen
Copy link
Contributor

Note: This change was rolled back in #18609. SystemCertPool on Windows on Go 1.8 still returns nil. @bradfitz Maybe you could re-open this and remove the go1.8maybe tag on it? Thanks.

@alexbrainman alexbrainman modified the milestones: Go1.9, Go1.8Maybe Feb 14, 2017
@alexbrainman alexbrainman reopened this Feb 14, 2017
@alexbrainman
Copy link
Member

@jeffallen Done.

Alex

@Neelerak Neelerak mentioned this issue Feb 28, 2017
Closed
@fawick fawick mentioned this issue Mar 1, 2017
Closed
@Neelerak Neelerak mentioned this issue Mar 1, 2017
Closed
@cyli cyli mentioned this issue Mar 14, 2017
Merged
@marcintao marcintao mentioned this issue Apr 20, 2017
Closed
@dscho dscho mentioned this issue May 19, 2017
Open
@bradfitz bradfitz modified the milestones: Go1.10, Go1.9 Jun 7, 2017
@nussjustin nussjustin mentioned this issue Aug 13, 2017
Closed
@rsc rsc modified the milestones: Go1.10, Go1.11 Nov 22, 2017
@felixbecker
Copy link

Hi, came from this issue #18609 and try to understand what can help. Maybe as an look over the fence this is how dotnetcore address this (https://github.com/dotnet/corefx/tree/master/src/System.Security.Cryptography.X509Certificates/src/System/Security/Cryptography/X509Certificates). Just trying to get a better understanding what fails and what could help.

@FiloSottile FiloSottile mentioned this issue May 20, 2021
Closed
@barryib barryib mentioned this issue May 22, 2021
Merged
This was referenced Jul 5, 2021
Closed
Closed
@danielorbach
Copy link

I have encountered the lack of support for this function on Windows, and would like to help resolve it :)

@siennathesane
Copy link

I have encountered the lack of support for this function on Windows, and would like to help resolve it :)

@danielorbach, try this: #16736 (comment)

@dhowden dhowden mentioned this issue Sep 6, 2021
Merged
@nitaliya nitaliya mentioned this issue Sep 14, 2021
Merged
@praveenkumar praveenkumar mentioned this issue Sep 28, 2021
Closed
praveenkumar added a commit to praveenkumar/proxy that referenced this issue Sep 28, 2021
@praveenkumar
System root pool is not available for windows
79880a2 
As per https://golang.org/src/crypto/x509/cert_pool.go looks like there
is no implementation of  `SystemCertPool` for windows platform and it
just return the error.
```
func SystemCertPool() (*CertPool, error) {
	if runtime.GOOS == "windows" {
		// Issue 16736, 18609:
		return nil, errors.New("crypto/x509: system root pool is
not available on Windows")
	}
....
```

- golang/go#16736
- golang/go#46287
cfergeau added a commit to cfergeau/crc that referenced this issue Sep 28, 2021
@cfergeau
proxy: Add fallback to x509.NewCertPool() on Windows
8f0aacc 
On Windows, x509.SystemCertPool returns an error:
golang/go#16736

This commit reverts to the behaviour before commit b50dc99 when catching
such an error. This means https_proxy=https://... will be broken for
non-mitm https proxies. Such proxies were not usable before the PR
adding b50dc99, so this should not have much impact for our existing
users.

These CAs are used:
- when accessing telemetry
- when checking for a new crc version
- when downloading binaries (only happens with git builds)
cfergeau added a commit to cfergeau/crc that referenced this issue Sep 28, 2021
@cfergeau
proxy: Add fallback to x509.NewCertPool() on Windows
2606490 
On Windows, x509.SystemCertPool returns an error:
golang/go#16736

This commit reverts to the behaviour before commit b50dc99 when catching
such an error. This means https_proxy=https://... will be broken for
non-mitm https proxies. Such proxies were not usable before the PR
adding b50dc99, so this should not have much impact for our existing
users.

These CAs are used:
- when accessing telemetry
- when checking for a new crc version
- when downloading binaries (only happens with git builds)
@cfergeau cfergeau mentioned this issue Sep 28, 2021
Merged
cfergeau added a commit to cfergeau/crc that referenced this issue Sep 28, 2021
@cfergeau
proxy: Add fallback to x509.NewCertPool() on Windows
e8735a3 
On Windows, x509.SystemCertPool returns an error:
golang/go#16736

This commit reverts to the behaviour before commit b50dc99 when catching
such an error. This means https_proxy=https://... will be broken for
non-mitm https proxies. Such proxies were not usable before the PR
adding b50dc99, so this should not have much impact for our existing
users.

These CAs are used:
- when accessing telemetry
- when checking for a new crc version
- when downloading binaries (only happens with git builds)

This fixes crc-org#2770
cfergeau added a commit to cfergeau/crc that referenced this issue Sep 28, 2021
@cfergeau
proxy: Add fallback to x509.NewCertPool() on Windows
c87289d 
On Windows, x509.SystemCertPool returns an error:
golang/go#16736

This commit reverts to the behaviour before commit b50dc99 when catching
such an error. This means https_proxy=https://... will be broken for
non-mitm https proxies. Such proxies were not usable before the PR
adding b50dc99, so this should not have much impact for our existing
users.

These CAs are used:
- when accessing telemetry
- when checking for a new crc version
- when downloading binaries (only happens with git builds)

This fixes crc-org#2770
praveenkumar pushed a commit to crc-org/crc that referenced this issue Sep 29, 2021
@cfergeau @praveenkumar
proxy: Add fallback to x509.NewCertPool() on Windows
f5a9809 
On Windows, x509.SystemCertPool returns an error:
golang/go#16736

This commit reverts to the behaviour before commit b50dc99 when catching
such an error. This means https_proxy=https://... will be broken for
non-mitm https proxies. Such proxies were not usable before the PR
adding b50dc99, so this should not have much impact for our existing
users.

These CAs are used:
- when accessing telemetry
- when checking for a new crc version
- when downloading binaries (only happens with git builds)

This fixes #2770
@jzelinskie jzelinskie mentioned this issue Oct 19, 2021
Closed
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/353589 mentions this issue: crypto/x509: verification with system and custom roots

@placaze placaze mentioned this issue Nov 14, 2021
Closed
@fundthmcalculus fundthmcalculus mentioned this issue Dec 9, 2021
Merged
@tim775 tim775 mentioned this issue Dec 31, 2021
Closed
@dims dims mentioned this issue Apr 15, 2022
Closed
This was referenced May 4, 2022
Closed
Merged
@rosskirkpat rosskirkpat mentioned this issue May 11, 2022
Closed
@gboyvalenkov-bosch gboyvalenkov-bosch mentioned this issue Aug 8, 2022
Closed
@golang golang locked and limited conversation to collaborators Nov 6, 2022
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
FrozenDueToAge help wanted NeedsFix The path to resolution is known, but the work has not been done. OS-Windows
Projects
None yet
Milestone
Unplanned
Development

Successfully merging a pull request may close this issue.

crypto/x509: make SystemCertPool work on Windows jeet-parekh/go
17 participants
@bradfitz @tommed @rsc @quentinmit @sssilver @rasky @jeffallen @docsmooth @rolandshoemaker @felixbecker @siennathesane @gopherbot @alexbrainman @jeet-parekh @elagergren-spideroak @danielorbach and others