summaryrefslogtreecommitdiffhomepage
path: root/control/controlhttp/controlhttpserver/controlhttpserver.go
diff options
context:
space:
mode:
authorBrad Fitzpatrick <bradfitz@tailscale.com>2026-04-07 19:09:19 +0000
committerBrad Fitzpatrick <brad@danga.com>2026-04-07 18:10:54 -0700
commita182b864ace45ee69830973a157fdaa07e9e4d3d (patch)
treef5267b3c66f40171adf7cafa874ae159e545f1d8 /control/controlhttp/controlhttpserver/controlhttpserver.go
parentc4cb5eb80968f48e62170c98db76e192338d8013 (diff)
downloadtailscale-a182b864ace45ee69830973a157fdaa07e9e4d3d.tar.xz
tailscale-a182b864ace45ee69830973a157fdaa07e9e4d3d.zip
tsd, all: add Sys.ExtraRootCAs, plumb through TLS dial paths
Add ExtraRootCAs *x509.CertPool to tsd.System and plumb it through the control client, noise transport, DERP, and wgengine layers so that platforms like Android can inject user-installed CA certificates into Go's TLS verification. tlsdial.Config now honors base.RootCAs as additional trusted roots, tried after system roots and before the baked-in LetsEncrypt fallback. SetConfigExpectedCert gets the same treatment for domain-fronted DERP. The Android client will set sys.ExtraRootCAs with a pool built from x509.SystemCertPool + user-installed certs obtained via the Android KeyStore API, replacing the current SSL_CERT_DIR environment variable approach. Updates #8085 Change-Id: Iecce0fd140cd5aa0331b124e55a7045e24d8e0c2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Diffstat (limited to 'control/controlhttp/controlhttpserver/controlhttpserver.go')
0 files changed, 0 insertions, 0 deletions