Where should a FreeBSD program look for root certificates?

[Walter Hop]

Hi,

I've been sorting out a problem with my Go program (a HTTPS client) on FreeBSD since the upgrade to Go 1.5.

It turns out that Go changed its search order in which it looks for root certificates.

Go 1.4 programs would look for /etc/ssl/cert.pem, before trying /usr/local/share/certs/ca-root-nss.crt [1].

Go 1.5 programs will try /usr/local/share/certs/ca-root-nss.crt first, and then /etc/ssl/cert.pem [2].

This created an issue for me, as I always assumed that /etc/ssl/cert.pem is more or less the 'official' location for root certificates in FreeBSD, so I deploy my private CA root there.

But since Go 1.5, Go programs will ignore /etc/ssl/cert.pem if the ca_root_nss package is present, due to the change in search order. Therefore my private certificates don’t validate.

Is there an official position where FreeBSD programs should look for this certificate store?

I'm considering to open a Go bug to move /etc/ssl/cert.pem higher in the search order, on the basis of:
- Not only OpenBSD, but also FreeBSD uses /etc/ssl/cert.pem
- FreeBSD core components, such as libfetch, use /etc/ssl/cert.pem [3]
- The location of the ca_root_nss file is an implementation detail of the package and should not override the core location

After seeing libfetch source, I guess it would be a good thing to try /usr/local/etc/ssl/cert.pem too.

However, maybe I'm wrong, maybe /etc/ssl/cert.pem is not 'special' or sanctioned, and there are good reasons to prefer /usr/local/share/certs/ca-root-nss.crt which I am not realizing.

What do you think Go (or other programs for that matter) should do?

Thanks!
WH

References:
1. https://github.com/golang/go/blob/release-branch.go1.4/src/crypto/x509/root_unix.go#L16
2. https://github.com/golang/go/blob/release-branch.go1.5/src/crypto/x509/root_bsd.go#L11
3. https://github.com/freebsd/freebsd/blob/master/lib/libfetch/common.c#L694

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp