Comments (7)
I am using x509.SystemCertPool()
that uses the local trust store of the OS. But depending on the distribution, I guess it might struggle finding the system certificates.
Line 455 in 96b63cc
The doc of x509.SystemCertPool()
says:
On Unix systems other than macOS the environment variables SSL_CERT_FILE and SSL_CERT_DIR can be used to override the system default locations for the SSL certificate file and SSL certificate files directory, respectively. The latter can be a colon-separated list.
Maybe you want to play with these variables ?
from ssh3.
the SSH3 server should be able to use your Let's Encrypt X509 certificate. I have a server using one. :-)
You just need to set the -cert
and -key
CLI args to your Let's Encrypt fullchain and key when running ssh3-server
.
Does it work for you ? Let me know if you have problems doing it.
from ssh3.
@francoismichel I tried that and the client was not able to verify it, so I am a bit curious what happened here. How do you verify the certificate against the system trust store?
from ssh3.
@RaitoBezarius Did you have the time to try it out ? Is there something I can do on my side for it to work more smoothly or should we mark the issue as resolved ?
from ssh3.
I'm still getting client # 5:55PM ERR the peer provided an unknown, insecure certificate, that is not self-signed: x509: invalid signature: parent certificate cannot sign this kind of certificate
with a certificate that I trust in my system store :/.
If I curl with that an TLS server, it seems to work.
from ssh3.
If you're familiar with the strace
utility or any system call tracing tool, you could find where curl is looking for them and compare that to where ssh3
is looking. Also looking at your shell environment variables might help finding how these paths are passed to the executable :)
from ssh3.
On Linux, here is where Go searches for certs by default (source):
// Possible certificate files; stop after finding one.
var certFiles = []string{
"/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem", // OpenSUSE
"/etc/pki/tls/cacert.pem", // OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
"/etc/ssl/cert.pem", // Alpine Linux
}
// Possible directories with certificate files; all will be read.
var certDirectories = []string{
"/etc/ssl/certs", // SLES10/SLES11, https://golang.org/issue/12139
"/etc/pki/tls/certs", // Fedora/RHEL
"/system/etc/security/cacerts", // Android
}
You can compare these paths with what curl does.
When I run curl, I can see that Curl finds the CA bundle for certificates in /etc/pki/tls/certs/ca-bundle.crt
(cf ``CAfileand
CAPath`):
user@host:~$ curl -v https://google.com
* processing: https://google.com
* Trying [2a00:1450:400e:810::200e]:443...
* Connected to google.com (2a00:1450:400e:810::200e) port 443
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* CApath: none
[...]
Does curl find a CA in a file/dir that golang does not look at ?
from ssh3.
Related Issues (20)
- Certs by SPIRE
- Implement mTLS
- Remove unnecessary HTTP layer HOT 3
- Unable to install on Termux HOT 3
- Erratic behavior when SSH-ing with IPv6 hosts HOT 1
- [BeforeSuite] [FAILED] [8.752 seconds]
- Add support for passkeys HOT 2
- SSH version 3 exists already (known as SSH G3 since 2005) HOT 1
- proxy-jump error HOT 17
- SSH Agent forwarding does not work
- Not an IETF draft (yet) HOT 1
- Using a different QUIC implementation HOT 2
- Groups not being set HOT 1
- Better (?) IP matching scheme for self-signed certs HOT 1
- Static redirect URIs required by OIDC specification HOT 11
- Problem: WRN could not get window size: The handle is invalid. on Windows
- save session
- Support reading config from `$XDG_CONFIG_HOME`
- Porting to Android as shared lib
- Suitable identity not found
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ssh3.