crypto/x509: load all trusted certs on darwin (cgo)
The current implementation ignores certs wherein the Subject does not match the Issuer. An example of where this causes issue is an enterprise environment with intermediate CAs. In this case, the issuer is separate (and may be loaded) but the intermediate is ignored. A TLS handshake that does not include the intermediate cert would then fail with an untrusted error in Go. On other platforms (darwin-nocgo included), all trusted certs are loaded and accepted reguardless of Subject/Issuer names. This change removes the Subject/Issuer name-matching restriction of certificates when trustAsRoot is set, allowing all trusted certs to be loaded on darwin (cgo). Refs #16532 Change-Id: I451e929588f8911892be6bdc2143d0799363c5f8 Reviewed-on: https://go-review.googlesource.com/36942 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Showing
Please
register
or
sign in
to comment