Mishandled trust preferences for root certificates on Darwin in crypto/x509

GO-2022-0171 · CVE-2017-1000097

Published May 24, 2022 · Modified Jun 3, 2024

Description

On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate.

References

FIX https://go.googlesource.com/go/+/7e5b2e0ec144d5f5b2923a7d5db0b9143f79a35a
REPORT https://go.dev/issue/18141
WEB https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes