tsd, all: add Sys.ExtraRootCAs, plumb through TLS dial paths - tailscale - The easiest, most secure way to use WireGuard and 2FA

diff options

author	Brad Fitzpatrick <bradfitz@tailscale.com>	2026-04-07 19:09:19 +0000
committer	Brad Fitzpatrick <brad@danga.com>	2026-04-07 18:10:54 -0700
commit	a182b864ace45ee69830973a157fdaa07e9e4d3d (patch)
tree	f5267b3c66f40171adf7cafa874ae159e545f1d8 /control/controlhttp/controlhttpserver/controlhttpserver.go
parent	c4cb5eb80968f48e62170c98db76e192338d8013 (diff)
download	tailscale-a182b864ace45ee69830973a157fdaa07e9e4d3d.tar.xz tailscale-a182b864ace45ee69830973a157fdaa07e9e4d3d.zip

tsd, all: add Sys.ExtraRootCAs, plumb through TLS dial paths

Add ExtraRootCAs *x509.CertPool to tsd.System and plumb it through the control client, noise transport, DERP, and wgengine layers so that platforms like Android can inject user-installed CA certificates into Go's TLS verification. tlsdial.Config now honors base.RootCAs as additional trusted roots, tried after system roots and before the baked-in LetsEncrypt fallback. SetConfigExpectedCert gets the same treatment for domain-fronted DERP. The Android client will set sys.ExtraRootCAs with a pool built from x509.SystemCertPool + user-installed certs obtained via the Android KeyStore API, replacing the current SSL_CERT_DIR environment variable approach. Updates #8085 Change-Id: Iecce0fd140cd5aa0331b124e55a7045e24d8e0c2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Diffstat (limited to 'control/controlhttp/controlhttpserver/controlhttpserver.go')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: