Use x509.SetFallbackRoots and switch away from gocertifi #628
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
edigaryev
force-pushed
the
set-fallback-roots
branch
from
ac27db6 to
3f03df1
Compare
fkorotkov
approved these changes
Jun 8, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Use
x509.SetFallbackRootsto prefer the OS-provided CA certificate store over some static set of certificates we've got through a package dependency that had chosen some arbitrary CA set to use and needs to be updated periodically both on our side and on the side of the package.This change simplifies the code greatly by only requiring a single
x509.SetFallbackRoots()call in eachmainpackage, and in our case we only need one such call.The only downside of this approach is that if the operating-system's CA certificate store is not empty and some of the certificates are outdated, the connection might fail.
Switch away from
github.com/certifi/gocertifibecause it hasn't been maintained for more than 2 years.Unfortunately, the official
golang.org/x/crypto/x509roots/fallbackis not ready yet, but the package of the person who initially created the issue (crypto/x509: add SetFallbackRoots and golang.org/x/crypto/x509roots/fallback package golang/go#43958) seems to be well maintained and documented.