crypto/x509: FreeBSD CA roots order fix

[lifeforms]

In Go 1.5, the CA root certificate store search order was changed for BSD systems:

• Go 1.4 programs would look for /etc/ssl/cert.pem before trying /usr/local/share/certs/ca-root-nss.crt. (source)
• Go 1.5 programs will try /usr/local/share/certs/ca-root-nss.crt first, before looking for /etc/ssl/cert.pem. (source)

Looking at FreeBSD itself, libfetch (used by FreeBSD core) appears to try the SSL_CA_CERT_FILE environment variable first, then /usr/local/etc/ssl/cert.pem, then /etc/ssl/cert.pem. (source) This might be considered the canonical way to determine the location for the trust store on FreeBSD.

In FreeBSD, the location /usr/local/share/certs/ca-root-nss.crt is not special or blessed, but it's an implementation detail of the ca_root_nss package (Root certificate bundle from the Mozilla Project). Almost all users will have this package installed, and due to the ca_root_nss package's ETCSYMLINK option, their /etc/ssl/cert.pem will be symlinked, in which case the lookup order does not matter.

My issue with Go 1.5 happens because I deploy my own trust store to /etc/ssl/cert.pem.

If the ca_root_nss package happens to be installed, Go 1.5 picks up the ca_root_nss package's file /usr/local/share/certs/ca-root-nss.crt and no longer looks at the global /etc/ssl/cert.pem.

My build boxes have the Mozilla roots ca_root_nss package installed (to incorporate a modified version of it in our own trust store). On these machines, Go 1.5 programs prefer ca-root-nss.crt and use only the Mozilla roots, failing to verify servers using the global roots.

Due to fate, the search order in Go 1.4 (source) seems to have been more correct, as /etc/ssl/cert.pem was tried first, even if it was marked only as for OpenBSD.

However, since most people will just plainly use the Mozilla CA roots as their global roots file, this issue is probably rare.

I would recommend to duplicate the search order of FreeBSD's libfetch (source) in /src/crypto/x509/root_bsd.go.

The current list is:

var certFiles = []string{
    "/usr/local/share/certs/ca-root-nss.crt", // FreeBSD/DragonFly
    "/etc/ssl/cert.pem",                      // OpenBSD
    "/etc/openssl/certs/ca-certificates.crt", // NetBSD
}

To prefer the system roots and mimic the behavior of libfetch, while keeping compatibility with the other OSes, the entries could become:

var certFiles = []string{
    "/usr/local/etc/ssl/cert.pem",            // FreeBSD
    "/etc/ssl/cert.pem",                      // FreeBSD/OpenBSD
    "/usr/local/share/certs/ca-root-nss.crt", // DragonFly
    "/etc/openssl/certs/ca-certificates.crt", // NetBSD
}

Go version: go version go1.5.3 freebsd/amd64

[minux]

Perhaps we should just add a environment variable for the user to specify system root directory explicitly. It will be much less fragile than relying on the default search order.

[ianlancetaylor]

Since this is the first complaint I've seen about 1.5, and we are frozen as we can be for 1.6, I'm pushing this back until 1.7.

[lifeforms]

That sounds great, good luck with the freeze!

As for environment variables, FreeBSD just brought its libfetch in order with OpenSSL convention of checking SSL_CA_CERT_FILE and SSL_CA_CERT_PATH. I imagine it would be pretty cool if Go programs would do the same, though the change would be a bit bigger.

[gopherbot]

CL https://golang.org/cl/20253 mentions this issue.

[rsc]

We should make sure to get to this early in Go 1.8.

[gopherbot]

CL https://golang.org/cl/36093 mentions this issue.