mirror of
https://github.com/tailscale/tailscale.git
synced 2026-06-06 21:01:11 +08:00
a182b864ac
Add ExtraRootCAs *x509.CertPool to tsd.System and plumb it through the control client, noise transport, DERP, and wgengine layers so that platforms like Android can inject user-installed CA certificates into Go's TLS verification. tlsdial.Config now honors base.RootCAs as additional trusted roots, tried after system roots and before the baked-in LetsEncrypt fallback. SetConfigExpectedCert gets the same treatment for domain-fronted DERP. The Android client will set sys.ExtraRootCAs with a pool built from x509.SystemCertPool + user-installed certs obtained via the Android KeyStore API, replacing the current SSL_CERT_DIR environment variable approach. Updates #8085 Change-Id: Iecce0fd140cd5aa0331b124e55a7045e24d8e0c2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> |
||
|---|---|---|
| .. | ||
| controlhttpcommon | ||
| controlhttpserver | ||
| client_common.go | ||
| client_js.go | ||
| client.go | ||
| constants.go | ||
| http_test.go | ||