libtailscale: bridge user-installed CA certificates from Android to G…#757
Open
LoganRupe wants to merge 1 commit intotailscale:mainfrom
Open
libtailscale: bridge user-installed CA certificates from Android to G…#757LoganRupe wants to merge 1 commit intotailscale:mainfrom
LoganRupe wants to merge 1 commit intotailscale:mainfrom
Conversation
…o TLS
Go's crypto/x509 on Android only reads system CAs from
/system/etc/security/cacerts/ and does not read user-installed CAs from
the Android trust store. This causes TLS connections to fail with
"x509: certificate signed by unknown authority" when connecting to
servers using custom/self-signed CAs (e.g. Headscale with a private CA).
Add GetUserCACertsPEM() to the AppContext gomobile interface, implemented
in App.kt using KeyStore.getInstance("AndroidCAStore"). At startup, user
CA certs are written to the app's data directory and SSL_CERT_DIR is set
to include both the system and user cert directories, allowing Go's TLS
stack to trust user-installed certificates.
Fixes tailscale/tailscale#8085
Signed-off-by: Logan Rupe <logan@coldtap.io>
LoganRupe
force-pushed
the
android-user-ca-certs
branch
from
2d4079e to
9e4c757
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
libtailscale: bridge user-installed CA certificates from Android to Go TLS
Go's crypto/x509 on Android only reads system CAs from /system/etc/security/cacerts/ and does not read user-installed CAs from the Android trust store. This causes TLS connections to fail with "x509: certificate signed by unknown authority" when connecting to servers using custom/self-signed CAs (e.g. Headscale with a private CA).
Add GetUserCACertsPEM() to the AppContext gomobile interface, implemented in App.kt using KeyStore.getInstance("AndroidCAStore"). At startup, user CA certs are written to the app's data directory and SSL_CERT_DIR is set to include both the system and user cert directories, allowing Go's TLS stack to trust user-installed certificates.
Fixes tailscale/tailscale#8085