)
func TestHybridPool(t *testing.T) {
+ t.Parallel()
if !(runtime.GOOS == "windows" || runtime.GOOS == "darwin" || runtime.GOOS == "ios") {
t.Skipf("platform verifier not available on %s", runtime.GOOS)
}
if !testenv.HasExternalNetwork() {
t.Skip()
}
+ if runtime.GOOS == "windows" {
+ // NOTE(#51599): on the Windows builders we sometimes see that the state
+ // of the root pool is not fully initialized, causing an expected
+ // platform verification to fail. In part this is because Windows
+ // dynamically populates roots into its local trust store at time of
+ // use. We can attempt to prime the pool by attempting TLS connections
+ // to google.com until it works, suggesting the pool has been properly
+ // updated. If after we hit the dealine, the pool has _still_ not been
+ // populated with the expected root, it's unlikely we are ever going to
+ // get into a good state, and so we just fail the test. #52108 suggests
+ // a better possible long term solution.
+
+ deadline := time.Now().Add(time.Second * 10)
+ nextSleep := 10 * time.Millisecond
+ for i := 0; ; i++ {
+ c, err := tls.Dial("tcp", "google.com:443", nil)
+ if err == nil {
+ c.Close()
+ break
+ }
+ nextSleep = nextSleep * time.Duration(i)
+ if time.Until(deadline) < nextSleep {
+ t.Fatal("windows root pool appears to be in an uninitialized state (missing root that chains to google.com)")
+ }
+ time.Sleep(nextSleep)
+ }
+ }
// Get the google.com chain, which should be valid on all platforms we
// are testing
_, err = googChain[0].Verify(opts)
if err != nil {
- t.Fatalf("verification failed for google.com chain (empty pool): %s", err)
+ t.Fatalf("verification failed for google.com chain (system only pool): %s", err)
}
pool.AddCert(root)