CodeCow/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2026-06-11 21:02:39 +08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
4fcce6000d
tailscale/tsnet
History
Brad Fitzpatrick a182b864ac tsd, all: add Sys.ExtraRootCAs, plumb through TLS dial paths 
Add ExtraRootCAs *x509.CertPool to tsd.System and plumb it through
the control client, noise transport, DERP, and wgengine layers so
that platforms like Android can inject user-installed CA certificates
into Go's TLS verification.

tlsdial.Config now honors base.RootCAs as additional trusted roots,
tried after system roots and before the baked-in LetsEncrypt fallback.
SetConfigExpectedCert gets the same treatment for domain-fronted DERP.

The Android client will set sys.ExtraRootCAs with a pool built from
x509.SystemCertPool + user-installed certs obtained via the Android
KeyStore API, replacing the current SSL_CERT_DIR environment variable
approach.

Updates #8085

Change-Id: Iecce0fd140cd5aa0331b124e55a7045e24d8e0c2
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2026-04-07 18:10:54 -07:00
..
example all: remove AUTHORS file and references to it 2026-01-23 15:49:45 -08:00
depaware.txt derp,types,util: use bufio Peek+Discard for allocation-free fast reads (#19067) 2026-03-24 10:52:20 -04:00
example_tshello_test.go all: remove AUTHORS file and references to it 2026-01-23 15:49:45 -08:00
example_tsnet_listen_service_multiple_ports_test.go tsnet: make ListenService examples consistent with other tsnet examples 2026-01-26 14:59:18 -07:00
example_tsnet_test.go tsnet: make ListenService examples consistent with other tsnet examples 2026-01-26 14:59:18 -07:00
packet_filter_test.go all: remove AUTHORS file and references to it 2026-01-23 15:49:45 -08:00
tsnet_test.go cmd/vet: add subtestnames analyzer; fix all existing violations 2026-04-05 15:52:51 -07:00
tsnet.go tsd, all: add Sys.ExtraRootCAs, plumb through TLS dial paths 2026-04-07 18:10:54 -07:00