From: Russ Cox Date: Tue, 7 Feb 2017 16:59:38 +0000 (-0500) Subject: [release-branch.go1.8] crypto/x509: check for new tls-ca-bundle.pem last X-Git-Tag: go1.8~10 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=0545006bdb052b3d3fdd14cd027993d89eef1eed;p=gostls13.git [release-branch.go1.8] crypto/x509: check for new tls-ca-bundle.pem last We added CentOS 7's /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem to the list in response to #17549 - not being able to find any certs otherwise. Now we have #18813, where CentOS 6 apparently has both that file and /etc/pki/tls/certs/ca-bundle.crt, and the latter is complete while the former is not. Moving the new CentOS 7 file to the bottom of the list should fix both problems: the CentOS 7 system that didn't have any of the other files in the list will still find the new one, and existing systems will still keep using what they were using instead of preferring the new path that may or may not be complete on some systems. Fixes #18813. Change-Id: I5275ab67424b95e7210e14938d3e986c8caee0ba Reviewed-on: https://go-review.googlesource.com/36429 Run-TryBot: Russ Cox Reviewed-by: Adam Langley Reviewed-on: https://go-review.googlesource.com/36530 TryBot-Result: Gobot Gobot Reviewed-by: Brad Fitzpatrick --- diff --git a/src/crypto/x509/root_linux.go b/src/crypto/x509/root_linux.go index 38dd72d3ed..aa1785e4c6 100644 --- a/src/crypto/x509/root_linux.go +++ b/src/crypto/x509/root_linux.go @@ -7,8 +7,8 @@ package x509 // Possible certificate files; stop after finding one. var certFiles = []string{ "/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc. - "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7 "/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6 "/etc/ssl/ca-bundle.pem", // OpenSUSE "/etc/pki/tls/cacert.pem", // OpenELEC + "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7 }