search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
123.33k stars 17.58k forks source link

crypto/x509: root_cgo_darwin and root_nocgo_darwin omit some system certs #24652

Closed jdhenke closed 5 years ago

jdhenke commented 6 years ago

Please answer these questions before submitting your issue. Thanks!

What did you do?

$ cat main.go
package main

import (
    "crypto/x509"
    "fmt"
    "log"
)

func main() {
    certs, err := x509.SystemCertPool()
    if err != nil {
        log.Fatal(err)
    }
    fmt.Printf("Num System Certs: %d\n", len(certs.Subjects()))
}
$ CGO_ENABLED=0 go run main.go
Num System Certs: 188
$ CGO_ENABLED=1 go run main.go
Num System Certs: 168

What did you expect to see?

I expected to see the same number of certificates regardless of whether I used cgo.

What did you see instead?

The implementation using CGO resulted in fewer system certificates, which causes problems for our tooling that relies on one of those missing certificates to be in the SystemCertPool.

System details

go version go1.10.1 darwin/amd64
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/jhenke/Library/Caches/go-build"
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/jhenke"
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/_b/gz_w_nfj0_33f5y3s_0pg8xs080pym/T/go-build925272903=/tmp/go-build -gno-record-gcc-switches -fno-common"
GOROOT/bin/go version: go version go1.10.1 darwin/amd64
GOROOT/bin/go tool compile -V: compile version go1.10.1
uname -v: Darwin Kernel Version 16.7.0: Mon Nov 13 21:56:25 PST 2017; root:xnu-3789.72.11~1/RELEASE_X86_64
ProductName:    Mac OS X
ProductVersion: 10.12.6
BuildVersion:   16G1114
lldb --version: lldb-900.0.64
  Swift-4.0
adamdecaf commented 6 years ago

@jhump I've had the same issue. The problem (on 1.10 and earlier) boiled down -p and -r, which sounds like https://github.com/golang/go/issues/24084. There's an CL/patch that should fix this. https://golang.org/cl/128116

Can you share the security command you're running? I recall having success with -r trustAsRoot. 

resultType := "unspecified"
if certs.IsCA { // x509.Certificate IsCA 
    resultType = "trustAsRoot"
}
cmd := exec.Command("security", "add-trusted-cert", "-r", resultType, "-p", "ssl", "-k", loginKeychain, "cert.pem")
jhump commented 6 years ago

@adamdecaf, the details are all in #27958. I can't use trustAsRoot because the tool reports a wonderfully terrible error message if you try to use that with an actual root (e.g. self-signed) cert:

SecTrustSettingsSetTrustSettings: One or more parameters passed to a function were not valid.

The full command I use is basically this:

sudo security add-trusted-cert -d -r trustRoot -p ssl -k /Library/Keychains/System.keychain test.ssl.crt

The command has a -i settingsFile flag that appears promising, but it's an XML format that encodes a dictionary of dictionaries, and doc is quite light. I tried exporting an existing cert that is properly trusted by Go 1.10 and have yet to come up with a simple recipe that will work to create new ones that way. (I probably just need to spend more time on it...)

adamrothman commented 6 years ago 
crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: Secops Internal Root CA returned 1
crypto/x509: verify-cert rejected CN=com.apple.systemdefault,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.kerberos.kdc,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=638948197133458968,O=Meraki Inc.,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=radius.meraki.com,OU=Domain Control Validated+OU=EssentialSSL
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=Secops Internal Root CA
crypto/x509: verify-cert rejected CN=SCEP WiFi Certificate for 638948197133458968,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: ran security verify-cert 15 times
    cgo sys roots: 110.760832ms
non-cgo sys roots: 175.697789ms
certificate only present in non-cgo pool: CN=radius.meraki.com,OU=Domain Control Validated+OU=EssentialSSL (verify error: x509: certificate signed by unknown authority)
signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
SecTrustSettingsCopyCertificates: No Trust Settings were found.
Number of trusted certs = 1
Cert 0: Secops Internal Root CA
   Number of trust settings : 0

!!! The test failed!
wdec commented 5 years ago

If of some help, I'm also having this issue, using go1.11.1 darwin. Any suggested quick fixes?

Test Results
"$(go env GOPATH)/bin/macos-roots-test"
crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: cdca returned 1
crypto/x509: Cisco Root CA M1 returned 1
crypto/x509: MacIT Registration Authority returned 1
crypto/x509: HydrantID SSL ICA G2 returned 4
crypto/x509: QuoVadis Root CA 2 returned 1
crypto/x509: Apple Worldwide Developer Relations Certification Authority returned 2
crypto/x509: ISRG Root X1 returned 1
crypto/x509: DST Root CA X3 returned 1
crypto/x509: DST Root CA X4 returned 1
crypto/x509: Cisco Systems, Inc. returned 4
crypto/x509: services.meeting.ietf.org returned 4
crypto/x509: isj3cmx.webexconnect.com returned 2
crypto/x509: C220-FCH2050V1ZP returned 1
crypto/x509: C220-FCH2033V1VF returned 1
crypto/x509: ntn-vts-vcenter.cisco.com returned 2
crypto/x509: null returned 1
crypto/x509: null returned 1
crypto/x509: null returned 1
crypto/x509: null returned 1
crypto/x509: null returned 1
crypto/x509: C220-FCH2050V28V returned 1
crypto/x509: VTC-BR-MGMT-1 returned 1
crypto/x509: VTC-BR-MGMT-2 returned 1
crypto/x509: C-series CIMC returned 1
crypto/x509: C-series CIMC returned 1
crypto/x509: ntn-vts-vcenter.cisco.com returned 2
crypto/x509: nxos returned 1
crypto/x509: null returned 1
crypto/x509: robot-vcenter2.cisco.com returned 2
crypto/x509: verify-cert rejected CN=com.apple.systemdefault,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.systemdefault,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.kerberos.kdc,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.kerberos.kdc,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.systemdefault,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.kerberos.kdc,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Dashboard Advisory,OU=Dashboard,O=Apple Computer\, Inc.,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Apple Code Signing Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Software Signing,OU=Apple Software,O=Apple Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=com.apple.systemdefault,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.kerberos.kdc,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=cdca,O=Cisco
crypto/x509: verify-cert approved CN=Cisco Root CA M1,O=Cisco
crypto/x509: verify-cert approved CN=HydrantID SSL ICA G2,O=HydrantID (Avalanche Cloud Corporation),C=US
crypto/x509: verify-cert approved CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
crypto/x509: verify-cert approved CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert approved CN=491F11C4-73BB-4515-B03B-61B9BF352DBF,O=Cisco Systems Inc.
crypto/x509: verify-cert rejected CN=JSS Built-In Signing Certificate,OU=FILEVAULT2COMM: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=*.corp.broadsoft.com,O=BroadSoft\, Inc.,L=Gaithersburg,ST=Maryland,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
crypto/x509: verify-cert approved CN=ISRG Root X1,O=Internet Security Research Group,C=US
crypto/x509: verify-cert approved CN=DST Root CA X3,O=Digital Signature Trust Co.
crypto/x509: verify-cert approved CN=DST Root CA X4,O=Digital Signature Trust Co.
crypto/x509: verify-cert rejected CN=Cisco Systems\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Bich Nguyen,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=VeriSign Class 1 Individual Subscriber CA - G2,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)05+OU=Persona Not Validated,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Ole Troan,C=GB: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Pamela Lee,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=VeriSign Class 1 Individual Subscriber CA - G2,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)05+OU=Persona Not Validated,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Tobias Neumann,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Glenn Gauvin,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Roque Gagliano,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Yiu Lee,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=RGnet Root CA,OU=Engineering,O=RGnet/PSGnet,L=Bainbridge Island,ST=Washingron,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=services.meeting.ietf.org,OU=Network Ops,O=IETF,L=MECC,ST=Disrepair,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Richard Maunder,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Nokia BI CA,O=Nokia,C=FI: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Saaranen Mika,OU=People,O=Nokia: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Saaranen Mika,OU=People,O=Nokia: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=VeriSign Class 1 Individual Subscriber CA - G3,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09+OU=Persona Not Validated,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=StartCom Class 3 Primary Intermediate Client CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Peter Saint-Andre,OU=StartCom Trusted Certificate Member,L=Denver,ST=Colorado,C=US: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=services.meeting.ietf.org,OU=Terms of use at www.verisign.com/rpa (c)05,O=IETF,L=Fremont,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=VeriSign Class 3 Secure Server CA - G3,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=isj3cmx.webexconnect.com,O=WebEx Communications\, Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=MacIT Registration Authority,OU=Client & Cloud Productivity Services,O=Cisco Systems\, Inc.,L=San Jose,ST=CA,C=US: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=Apple Application Integration Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Lars Eggert,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.68466757444f4272375447444a4f6d465870564d36673d3d: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.68466757444f4272375447444a4f6d465870564d36673d3d: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=ExamReal.com,OU=ExamReal.com,O=ExamReal.com,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.68466757444f4272375447444a4f6d465870564d36673d3d: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.68466757444f4272375447444a4f6d465870564d36673d3d: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=anyconnect.mic-ebc.eu: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=GeoTrust SSL CA - G3,O=GeoTrust Inc.,C=US
crypto/x509: verify-cert rejected CN=*.boxlocalhost.com,O=Box\, Inc.,L=Los Altos,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=C220-FCH2050V1ZP,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=C220-FCH2033V1VF,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=ntn-vts-vcenter.cisco.com,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=C220-FCH2050V28V,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=VTC-BR-MGMT-1,O=VTS,L=San Jose,ST=CA,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=VTC-BR-MGMT-2,O=VTS,L=San Jose,ST=CA,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=C-series CIMC,OU=PID:UCSC-C220-M4S SERIAL:FCH2048716F,O=Cisco Self Signed,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.68466757444f4272375447444a4f6d465870564d36673d3d: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=C-series CIMC,OU=PID:UCSC-C220-M4S SERIAL:FCH203372N2,O=Cisco Self Signed,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=Apple Application Integration Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=ntn-vts-vcenter.cisco.com,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=nxos,OU=nsstg,O=Cisco Systems Inc.,L=San Jose,ST=CA,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=robot-vcenter2.cisco.com,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Cisco Systems\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Bich Nguyen,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=VeriSign Class 1 Individual Subscriber CA - G2,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)05+OU=Persona Not Validated,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Ole Troan,C=GB: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.68466757444f4272375447444a4f6d465870564d36673d3d: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Pamela Lee,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=VeriSign Class 1 Individual Subscriber CA - G2,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)05+OU=Persona Not Validated,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Tobias Neumann,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Glenn Gauvin,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Roque Gagliano,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Yiu Lee,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=RGnet Root CA,OU=Engineering,O=RGnet/PSGnet,L=Bainbridge Island,ST=Washingron,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=services.meeting.ietf.org,OU=Network Ops,O=IETF,L=MECC,ST=Disrepair,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Richard Maunder,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Nokia BI CA,O=Nokia,C=FI: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Saaranen Mika,OU=People,O=Nokia: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Saaranen Mika,OU=People,O=Nokia: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Lars Eggert,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=VeriSign Class 1 Individual Subscriber CA - G3,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09+OU=Persona Not Validated,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=StartCom Class 3 Primary Intermediate Client CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Peter Saint-Andre,OU=StartCom Trusted Certificate Member,L=Denver,ST=Colorado,C=US: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=services.meeting.ietf.org,OU=Terms of use at www.verisign.com/rpa (c)05,O=IETF,L=Fremont,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=VeriSign Class 3 Secure Server CA - G3,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=isj3cmx.webexconnect.com,O=WebEx Communications\, Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Apple Application Integration Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.68466757444f4272375447444a4f6d465870564d36673d3d: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.68466757444f4272375447444a4f6d465870564d36673d3d: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.68466757444f4272375447444a4f6d465870564d36673d3d: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.68466757444f4272375447444a4f6d465870564d36673d3d: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=ExamReal.com,OU=ExamReal.com,O=ExamReal.com,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=anyconnect.mic-ebc.eu: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=*.boxlocalhost.com,O=Box\, Inc.,L=Los Altos,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=GeoTrust SSL CA - G3,O=GeoTrust Inc.,C=US
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.68466757444f4272375447444a4f6d465870564d36673d3d: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=C220-FCH2050V1ZP,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=C220-FCH2033V1VF,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=ntn-vts-vcenter.cisco.com,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.68466757444f4272375447444a4f6d465870564d36673d3d: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=C220-FCH2050V28V,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=VTC-BR-MGMT-1,O=VTS,L=San Jose,ST=CA,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=VTC-BR-MGMT-2,O=VTS,L=San Jose,ST=CA,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=C-series CIMC,OU=PID:UCSC-C220-M4S SERIAL:FCH2048716F,O=Cisco Self Signed,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=C-series CIMC,OU=PID:UCSC-C220-M4S SERIAL:FCH203372N2,O=Cisco Self Signed,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=Apple Application Integration Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=ntn-vts-vcenter.cisco.com,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=nxos,OU=nsstg,O=Cisco Systems Inc.,L=San Jose,ST=CA,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=robot-vcenter2.cisco.com,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: ran security verify-cert 133 times
    cgo sys roots: 273.80938ms
non-cgo sys roots: 2.765658324s
signed certificate only present in non-cgo pool (acceptable): CN=cdca,O=Cisco
signed certificate only present in non-cgo pool (acceptable): CN=HydrantID SSL ICA G2,O=HydrantID (Avalanche Cloud Corporation),C=US
signed certificate only present in non-cgo pool (acceptable): CN=491F11C4-73BB-4515-B03B-61B9BF352DBF,O=Cisco Systems Inc.
signed certificate only present in non-cgo pool (acceptable): CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
signed certificate only present in non-cgo pool (acceptable): CN=GeoTrust SSL CA - G3,O=GeoTrust Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=Apple Application Integration Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
certificate only present in cgo pool: CN=C220-FCH2050V28V,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US
certificate only present in cgo pool: CN=C-series CIMC,OU=PID:UCSC-C220-M4S SERIAL:FCH203372N2,O=Cisco Self Signed,L=San Jose,ST=California,C=US
certificate only present in cgo pool: CN=robot-vcenter2.cisco.com,C=US
certificate only present in cgo pool: CN=C220-FCH2050V1ZP,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US
certificate only present in cgo pool: CN=ntn-vts-vcenter.cisco.com,C=US
certificate only present in cgo pool: CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US
certificate only present in cgo pool: CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US
certificate only present in cgo pool: CN=ntn-vts-vcenter.cisco.com,C=US
certificate only present in cgo pool: CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US
certificate only present in cgo pool: CN=VTC-BR-MGMT-1,O=VTS,L=San Jose,ST=CA,C=US
certificate only present in cgo pool: CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US
certificate only present in cgo pool: CN=nxos,OU=nsstg,O=Cisco Systems Inc.,L=San Jose,ST=CA,C=US
certificate only present in cgo pool: CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US
certificate only present in cgo pool: CN=C-series CIMC,OU=PID:UCSC-C220-M4S SERIAL:FCH2048716F,O=Cisco Self Signed,L=San Jose,ST=California,C=US
certificate only present in cgo pool: CN=null,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US
certificate only present in cgo pool: CN=isj3cmx.webexconnect.com,O=WebEx Communications\, Inc.,L=San Jose,ST=California,C=US
certificate only present in cgo pool: CN=VTC-BR-MGMT-2,O=VTS,L=San Jose,ST=CA,C=US
certificate only present in cgo pool: CN=C220-FCH2033V1VF,OU=null,O=Cisco Systems Inc.,L=San Jose,ST=California,C=US
Number of trusted certs = 20
Cert 0: Cisco Systems, Inc.
SecTrustSettingsCopyTrustSettings: The Trust Settings Record was corrupted.
Cert 1: services.meeting.ietf.org
   Number of trust settings : 4
   Trust Setting 0:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : EAP
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 3:
      Policy OID            : Apple X509 Basic
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 2: isj3cmx.webexconnect.com
   Number of trust settings : 3
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : cisco.com
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : cisco.com
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : Apple X509 Basic
      Policy String         : cisco.com
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 3: C220-FCH2050V1ZP
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 172.25.87.68
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 172.25.87.68
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 4: C220-FCH2033V1VF
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 172.25.87.69
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 172.25.87.69
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 5: ntn-vts-vcenter.cisco.com
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : ntn-vts-vcenter.cisco.com
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : ntn-vts-vcenter.cisco.com
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 6: null
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 172.25.87.10
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 172.25.87.10
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 7: null
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 172.23.247.43
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 172.23.247.43
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 8: null
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 172.23.247.44
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 172.23.247.44
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 9: null
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 172.23.247.45
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 172.23.247.45
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 10: null
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 172.23.247.46
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 172.23.247.46
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 11: C220-FCH2050V28V
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 172.25.87.67
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 172.25.87.67
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 12: VTC-BR-MGMT-1
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 172.22.227.37
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 172.22.227.37
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 13: VTC-BR-MGMT-2
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 172.22.227.38
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 172.22.227.38
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 14: C-series CIMC
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 172.22.227.111
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 172.22.227.111
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 15: C-series CIMC
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 172.22.227.114
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 172.22.227.114
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 16: ntn-vts-vcenter.cisco.com
   Number of trust settings : 4
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 10.210.12.140
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 10.210.12.140
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : SSL
      Policy String         : ntn-vts-vcenter.cisco.com
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 3:
      Policy OID            : SSL
      Policy String         : ntn-vts-vcenter.cisco.com
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 17: nxos
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 172.25.87.9
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 172.25.87.9
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 18: null
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 172.25.87.15
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 172.25.87.15
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 19: robot-vcenter2.cisco.com
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : robot-vcenter2.cisco.com
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : robot-vcenter2.cisco.com
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Number of trusted certs = 9
Cert 0: cdca
   Number of trust settings : 0
Cert 1: Cisco Root CA M1
   Number of trust settings : 0
Cert 2: MacIT Registration Authority
   Number of trust settings : 0
Cert 3: HydrantID SSL ICA G2
   Number of trust settings : 1
   Trust Setting 0:
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 4: QuoVadis Root CA 2
   Number of trust settings : 0
Cert 5: Apple Worldwide Developer Relations Certification Authority
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 6: ISRG Root X1
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 7: DST Root CA X3
   Number of trust settings : 0
Cert 8: DST Root CA X4
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot

!!! The test failed!
adamrothman commented 5 years ago

@wdec You can use https://github.com/hashicorp/go-rootcerts; see https://github.com/golang/go/issues/28025.

mfriedenhagen commented 5 years ago

Just a comment: I have spent 2 hours today to debug this and unfortunately there seems no way to persuade/usr/bin/security to add the correct result type. If you specify „trustRoot“ (or nothing as „trustRoot“ is the default), security will just remove „Result Type“.

In Keychain.app the empty and explicitly set result types are not distinguishable, only security dump-trust-settings will show this.

Was completely confusing as Safari, curl and subversion all worked like a charm.

dichque commented 5 years ago
Test Results
crypto/x509: verify-cert rejected CN=com.apple.systemdefault,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=com.apple.kerberos.kdc,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
crypto/x509: verify-cert approved CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=*.corp.broadsoft.com,O=BroadSoft\, Inc.,L=Gaithersburg,ST=Maryland,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=JSS Built-In Signing Certificate,OU=FILEVAULT2COMM: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=DST Root CA X4,O=Digital Signature Trust Co.
crypto/x509: verify-cert approved CN=DST Root CA X3,O=Digital Signature Trust Co.
crypto/x509: verify-cert rejected CN=Cisco Systems\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jagadish Nagarajaiah,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Apple Application Integration Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Cisco Systems\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=Cisco Root CA 2048,O=Cisco Systems
crypto/x509: verify-cert rejected CN=WIGHT Alex,O=Cisco Systems Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=DST Root CA X3,O=Digital Signature Trust Co.
crypto/x509: verify-cert rejected CN=Cisco Systems\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jagadish Nagarajaiah,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Apple Application Integration Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Cisco Systems\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=Cisco Root CA 2048,O=Cisco Systems
crypto/x509: verify-cert rejected CN=WIGHT Alex,O=Cisco Systems Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=DST Root CA X3,O=Digital Signature Trust Co.
crypto/x509: ran security verify-cert 27 times
    cgo sys roots: 220.560452ms
non-cgo sys roots: 1.009457569s
signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
certificate only present in cgo pool: CN=Cisco Systems\, Inc.
SecTrustSettingsCopyTrustSettings: The Trust Settings Record was corrupted.
Number of trusted certs = 3
Cert 0: Cisco Systems, Inc.
Cert 1: Cisco Systems, Inc.
   Number of trust settings : 3
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : isj3cmx.webexconnect.com�
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : isj3cmx.webexconnect.com�
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : Apple X509 Basic
      Policy String         : isj3cmx.webexconnect.com�
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 2: DST Root CA X3
   Number of trust settings : 1
   Trust Setting 0:
      Policy OID            : SSL
Number of trusted certs = 4
Cert 0: QuoVadis Root CA 2
   Number of trust settings : 0
Cert 1: Apple Worldwide Developer Relations Certification Authority
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 2: DST Root CA X4
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 3: DST Root CA X3
   Number of trust settings : 0

!!! The test failed!

Please report *the whole output* at https://github.com/golang/go/issues/24652 wrapping it in ``` a code block ```
Thank you!
crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: QuoVadis Root CA 2 returned 1
crypto/x509: Apple Worldwide Developer Relations Certification Authority returned 2
crypto/x509: DST Root CA X4 returned 1
crypto/x509: DST Root CA X3 returned 1
crypto/x509: Cisco Systems, Inc. returned 4
crypto/x509: Cisco Systems, Inc. returned 2
crypto/x509: DST Root CA X3 returned 1
cvigo commented 5 years ago

If the test fails, please copy the whole output in a comment here. Do check that there's nothing you consider sensitive in it (it only lists names of certificates in your keychain, which might however include names of S/MIME senders) and if you'd prefer to report privately email filippo at golang.org.

Another test fail

Suprisingly I two similar private Root CAs that return different results (see Global Root CA vs. Global Root CA Work)

Test Results
```
crypto/x509: verify-cert approved CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=com.apple.systemdefault,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.kerberos.kdc,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=AutoFirma ROOT
crypto/x509: verify-cert approved CN=127.0.0.1
crypto/x509: verify-cert approved CN=BBVA Autoridad de Certificacion Digital,O=Banco Bilbao Vizcaya Argentaria
crypto/x509: verify-cert approved CN=BBVA CA Servidores,O=BBVA
crypto/x509: verify-cert approved CN=BBVA CA Raiz,O=BBVA
crypto/x509: verify-cert approved CN=BBVA Servidores Autoridad de Certificacion Digital,OU=Para Uso Interno BBVA,O=Banco Bilbao Vizcaya Argentaria
crypto/x509: verify-cert approved CN=Global Root CA,OU=Security Architecture Cryptography,O=BBVA,C=ES
crypto/x509: verify-cert approved CN=Global Root CA Work,OU=Security Architecture Cryptography,O=BBVA,C=ES
crypto/x509: verify-cert approved CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
crypto/x509: verify-cert approved CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
crypto/x509: verify-cert approved CN=wifiaccess.grupobbva.com,OU=Comunicaciones,O=BBVA,L=Bilbao,C=ES
crypto/x509: verify-cert rejected CN=vpnaas_live.es.nextgen.igrupobbva,OU=Architecture Security,O=BBVA,L=Madrid,ST=Madrid,C=ES: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=vpnaas_live.es.nextgen.igrupobbva,OU=Security Architecture,O=BBVA,L=Madrid,ST=Madrid,C=ES
crypto/x509: verify-cert approved CN=vpnaas.es.nextgen.igrupobbva,OU=Security Architecture,O=BBVA,L=Madrid,ST=Madrid,C=ES
crypto/x509: verify-cert approved CN=isepsncorpeditc2.igrupobbva,O=BBVA,L=Madrid,ST=Madrid,C=ES
crypto/x509: verify-cert approved CN=link.live.es.platform.bbva.com,OU=SECURITY,O=BBVA,L=MADRID,ST=MADRID,C=ES
crypto/x509: verify-cert rejected CN=armadillo.smlb.secaas-live-es.ext.es.iaas.igrupobbva,OU=Dyd,O=BBVA,L=Madrid,ST=Madrid,C=ES: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: verify-cert approved CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert approved CN=Developer Authentication Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=Adobe Content Certificate 10-6,OU=Cloud Technology,O=Adobe Systems,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Adobe Intermediate CA 10-4,OU=Cloud Technology,O=Adobe Systems,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Adobe Intermediate CA 10-3,OU=Cloud Technology,O=Adobe Systems,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Adobe Content Certificate 10-5,OU=Cloud Technology,O=Adobe Systems,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Xcode Server Builder (05/11/2018\, 09:57:44): "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected SERIALNUMBER=IDCES-87654321K,CN=NAME REMOVED FOR PRIVACY - 87654321K,C=ES: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected SERIALNUMBER=IDCES-12345678K,CN=NAME REMOVED FOR PRIVACY - 12345678K,C=ES: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
crypto/x509: verify-cert approved CN=Ether R3 ES Issuing CA Work,OU=Security Architecture Cryptography,O=BBVA,C=ES
crypto/x509: verify-cert approved CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
crypto/x509: verify-cert approved CN=wifiaccess.grupobbva.com,OU=Comunicaciones,O=BBVA,L=Bilbao,C=ES
crypto/x509: verify-cert rejected CN=vpnaas_live.es.nextgen.igrupobbva,OU=Architecture Security,O=BBVA,L=Madrid,ST=Madrid,C=ES: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=vpnaas_live.es.nextgen.igrupobbva,OU=Security Architecture,O=BBVA,L=Madrid,ST=Madrid,C=ES
crypto/x509: verify-cert approved CN=vpnaas.es.nextgen.igrupobbva,OU=Security Architecture,O=BBVA,L=Madrid,ST=Madrid,C=ES
crypto/x509: verify-cert approved CN=isepsncorpeditc2.igrupobbva,O=BBVA,L=Madrid,ST=Madrid,C=ES
crypto/x509: verify-cert approved CN=link.live.es.platform.bbva.com,OU=SECURITY,O=BBVA,L=MADRID,ST=MADRID,C=ES
crypto/x509: verify-cert approved CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=armadillo.smlb.secaas-live-es.ext.es.iaas.igrupobbva,OU=Dyd,O=BBVA,L=Madrid,ST=Madrid,C=ES: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: verify-cert approved CN=Developer Authentication Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=Adobe Content Certificate 10-6,OU=Cloud Technology,O=Adobe Systems,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Adobe Intermediate CA 10-4,OU=Cloud Technology,O=Adobe Systems,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Adobe Content Certificate 10-5,OU=Cloud Technology,O=Adobe Systems,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Adobe Intermediate CA 10-3,OU=Cloud Technology,O=Adobe Systems,L=San Jose,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Xcode Server Builder (05/11/2018\, 09:57:44): "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected SERIALNUMBER=IDCES-87654321K,CN=NAME REMOVED FOR PRIVACY - 87654321K,C=ES: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected SERIALNUMBER=IDCES-12345678K,CN=NAME REMOVED FOR PRIVACY - 12345678K,C=ES: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=Ether R3 ES Issuing CA Work,OU=Security Architecture Cryptography,O=BBVA,C=ES
crypto/x509: ran security verify-cert 51 times
    cgo sys roots: 366.462356ms
non-cgo sys roots: 671.314532ms
signed certificate only present in non-cgo pool (acceptable): CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
signed certificate only present in non-cgo pool (acceptable): CN=wifiaccess.grupobbva.com,OU=Comunicaciones,O=BBVA,L=Bilbao,C=ES
signed certificate only present in non-cgo pool (acceptable): CN=vpnaas_live.es.nextgen.igrupobbva,OU=Security Architecture,O=BBVA,L=Madrid,ST=Madrid,C=ES
signed certificate only present in non-cgo pool (acceptable): CN=isepsncorpeditc2.igrupobbva,O=BBVA,L=Madrid,ST=Madrid,C=ES
signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=Developer Authentication Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=Ether R3 ES Issuing CA Work,OU=Security Architecture Cryptography,O=BBVA,C=ES
certificate only present in cgo pool: SERIALNUMBER=IDCES-87654321K,CN=NAME REMOVED FOR PRIVACY - 87654321K,C=ES
certificate only present in cgo pool: CN=Xcode Server Builder (05/11/2018\, 09:57:44)
certificate only present in cgo pool: CN=armadillo.smlb.secaas-live-es.ext.es.iaas.igrupobbva,OU=Dyd,O=BBVA,L=Madrid,ST=Madrid,C=ES
certificate only present in cgo pool: SERIALNUMBER=IDCES-12345678K,CN=NAME REMOVED FOR PRIVACY - 12345678K,C=ES
Number of trusted certs = 11
Cert 0: wifiaccess.grupobbva.com
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 1: vpnaas.es.nextgen.igrupobbva
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 2: isepsncorpeditc2.igrupobbva
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 3: link.live.es.platform.bbva.com
   Number of trust settings : 3
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 185.24.6.15
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 185.24.6.15
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : Apple X509 Basic
      Policy String         : 185.24.6.15
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 4: armadillo.smlb.secaas-live-es.ext.es.iaas.igrupobbva
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : atenea.live.global.ether.igrupobbva
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : atenea.live.global.ether.igrupobbva
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 5: Xcode Server Builder (05/11/2018, 09:57:44)
   Number of trust settings : 9
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 6: NAME REMOVED FOR PRIVACY - 87654321K
   Number of trust settings : 9
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 7: NAME REMOVED FOR PRIVACY - 12345678K
   Number of trust settings : 9
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 8: BBVA Autoridad de Certificacion Digital
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 9: BBVA CA Raiz
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 10: Global Root CA Work
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
Number of trusted certs = 5
Cert 0: AutoFirma ROOT
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 1: 127.0.0.1
   Number of trust settings : 9
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 2: BBVA CA Servidores
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 3: BBVA Servidores Autoridad de Certificacion Digital
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 4: Global Root CA
   Number of trust settings : 0

!!! The test failed!

Please report *the whole output* at https://github.com/golang/go/issues/24652 wrapping it in ``` a code block ```
Thank you!
crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: AutoFirma ROOT returned 1
crypto/x509: 127.0.0.1 returned 2
crypto/x509: BBVA CA Servidores returned 2
crypto/x509: BBVA Servidores Autoridad de Certificacion Digital returned 2
crypto/x509: Global Root CA returned 1
crypto/x509: wifiaccess.grupobbva.com returned 4
crypto/x509: vpnaas.es.nextgen.igrupobbva returned 1
crypto/x509: isepsncorpeditc2.igrupobbva returned 4
crypto/x509: link.live.es.platform.bbva.com returned 2
crypto/x509: armadillo.smlb.secaas-live-es.ext.es.iaas.igrupobbva returned 1
crypto/x509: Xcode Server Builder (05/11/2018, 09:57:44) returned 2
crypto/x509: NAME REMOVED FOR PRIVACY - 87654321K returned 2
crypto/x509: NAME REMOVED FOR PRIVACY - 12345678K returned 2
crypto/x509: BBVA Autoridad de Certificacion Digital returned 1
crypto/x509: BBVA CA Raiz returned 1
crypto/x509: Global Root CA Work returned 1
```
cvigo commented 5 years ago

Unfortunately this change is hard to test and interacts with a very complex API, so I did not feel safe shipping it in 1.11 at the last minute. We will be targeting the next minor release after more testing.

As a temporary workaround, in some cases you can make the trust settings explicit by opening Keychain Access, finding the releavnt certificate, and marking it as Always Trust. It might even already show as such in the UI, because empty trust settings are the same as Always Trust, but Go doesn't understand that. Just toggling it in the UI back and forth should make the settings explicit.

It did not work for me unfortunately, although the trust settings are now printed by @FiloSottile test:

Test results
Cert 4: Global Root CA
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
cvigo commented 5 years ago

Same error with go 1.11.3 😠

bcmills commented 5 years ago

@cvigo, the 1.11 backport of this issue is #26039, which is still open.

cvigo commented 5 years ago

@cvigo, the 1.11 backport of this issue is #26039, which is still open.

true... as it is an old issue I missed the 1.12 milestone link

I will keep surviving with Dockerized go mod

FiloSottile commented 5 years ago

This issue should now be fixed in master, but more testing would be appreciated before we backport it, in particular by anyone who had the self-contained test fail.

You can use our ✨ new golang.org/dl/gotip tool ✨ to easily test the development branch:

go get golang.org/dl/gotip
gotip download
GODEBUG=x509roots=1 gotip test -v -run TestSystemRoots crypto/x509

You can also use gotip build or gotip get in place of go build/go get to test if the patches resolve any issues you were experiencing. Please report back! Thank you.

/cc @cvigo @dichque @wdec @adamrothman @calmh @dadrian @vdemario

cvigo commented 5 years ago

Mmmmm it does not look good...

 ❯ gotip version                                                                                                                                                                               [11:06:34]
go version devel +bc175e5 Mon Dec 17 03:49:37 2018 +0000 darwin/amd64

CA is Global Root CA

image

GODEBUG=x509roots=1 go test -v -run TestSystemRoots crypto/x509
 ❯ GODEBUG=x509roots=1 go test -v -run TestSystemRoots crypto/x509
=== RUN   TestSystemRoots
--- SKIP: TestSystemRoots (0.00s)
    root_darwin_test.go:21: skipping on darwin/amd64 until golang.org/issue/24652 has been resolved.
PASS
ok      crypto/x509 0.012s
GODEBUG=x509roots=1 gotip test -v -run TestSystemRoots crypto/x509
 ❯ GODEBUG=x509roots=1 gotip test -v -run TestSystemRoots crypto/x509
=== RUN   TestSystemRoots
crypto/x509: 16 certs have a trust policy
crypto/x509: verify-cert approved CN=mycompanyname CA Raiz,O=mycompanyname
crypto/x509: verify-cert approved CN=mycompanyname Autoridad de Certificacion Digital,O=My Company Name
crypto/x509: verify-cert approved CN=127.0.0.1
crypto/x509: verify-cert approved CN=AutoFirma ROOT
crypto/x509: verify-cert approved CN=mycompanyname CA Servidores,O=mycompanyname
crypto/x509: verify-cert approved CN=mycompanyname Servidores Autoridad de Certificacion Digital,OU=Para Uso Interno mycompanyname,O=My Company Name
crypto/x509: verify-cert approved CN=Global Root CA Work,OU=Security Architecture Cryptography,O=mycompanyname,C=ES
crypto/x509: verify-cert approved CN=Global Root CA,OU=Security Architecture Cryptography,O=mycompanyname,C=ES
crypto/x509: verify-cert approved CN=wifiaccess.mycompanyname.com,OU=Comunicaciones,O=mycompanyname,L=Bilbao,C=ES
crypto/x509: verify-cert approved CN=isepsncorpeditc2.imycompanyname,O=mycompanyname,L=Madrid,ST=Madrid,C=ES
crypto/x509: verify-cert approved CN=link.live.es.platform.mycompanyname.com,OU=SECURITY,O=mycompanyname,L=MADRID,ST=MADRID,C=ES
crypto/x509: verify-cert rejected CN=Xcode Server Builder (05/11/2018\, 09:57:44): "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=vpnaas.es.datacenter.imycompanyname,OU=Security Architecture,O=mycompanyname,L=Madrid,ST=Madrid,C=ES
crypto/x509: verify-cert rejected CN=armadillo.smlb.secaas-live-es.ext.es.iaas.imycompanyname,OU=Dyd,O=mycompanyname,L=Madrid,ST=Madrid,C=ES: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=Global Root CA Work,OU=Security Architecture Cryptography,O=mycompanyname,C=ES
crypto/x509: verify-cert approved CN=wifiaccess.mycompanyname.com,OU=Comunicaciones,O=mycompanyname,L=Bilbao,C=ES
crypto/x509: verify-cert approved CN=vpnaas.es.datacenter.imycompanyname,OU=Security Architecture,O=mycompanyname,L=Madrid,ST=Madrid,C=ES
crypto/x509: verify-cert approved CN=isepsncorpeditc2.imycompanyname,O=mycompanyname,L=Madrid,ST=Madrid,C=ES
crypto/x509: verify-cert approved CN=link.live.es.platform.mycompanyname.com,OU=SECURITY,O=mycompanyname,L=MADRID,ST=MADRID,C=ES
crypto/x509: verify-cert rejected CN=armadillo.smlb.secaas-live-es.ext.es.iaas.imycompanyname,OU=Dyd,O=mycompanyname,L=Madrid,ST=Madrid,C=ES: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Xcode Server Builder (05/11/2018\, 09:57:44): "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected SERIALNUMBER=IDCES-XXXXXXXXX,CN=CN1 REMOVED FOR PRIVACY - XXXXXXXXX,C=ES: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected SERIALNUMBER=IDCES-XXXXXXXXX,CN=CN2 REMOVED FOR PRIVACY - XXXXXXXXX,C=ES: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected SERIALNUMBER=IDCES-XXXXXXXXX,CN=CN1 REMOVED FOR PRIVACY - XXXXXXXXX,C=ES: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=Global Root CA Work,OU=Security Architecture Cryptography,O=mycompanyname,C=ES
crypto/x509: verify-cert rejected SERIALNUMBER=IDCES-XXXXXXXXX,CN=CN2 REMOVED FOR PRIVACY - XXXXXXXXX,C=ES: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: ran security verify-cert 26 times
--- PASS: TestSystemRoots (0.94s)
    root_darwin_test.go:34:     cgo sys roots: 197.258052ms
    root_darwin_test.go:35: non-cgo sys roots: 698.610683ms
    root_darwin_test.go:76: signed certificate only present in non-cgo pool (acceptable): CN=wifiaccess.mycompanyname.com,OU=Comunicaciones,O=mycompanyname,L=Bilbao,C=ES
    root_darwin_test.go:76: signed certificate only present in non-cgo pool (acceptable): CN=isepsncorpeditc2.imycompanyname,O=mycompanyname,L=Madrid,ST=Madrid,C=ES
    root_darwin_test.go:76: signed certificate only present in non-cgo pool (acceptable): CN=link.live.es.platform.mycompanyname.com,OU=SECURITY,O=mycompanyname,L=MADRID,ST=MADRID,C=ES
    root_darwin_test.go:76: signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
    root_darwin_test.go:96: off-EKU certificate only present in cgo pool (acceptable): SERIALNUMBER=IDCES-XXXXXXXXX,CN=CN1 REMOVED FOR PRIVACY - XXXXXXXXX,C=ES
    root_darwin_test.go:96: off-EKU certificate only present in cgo pool (acceptable): SERIALNUMBER=IDCES-XXXXXXXXX,CN=CN2 REMOVED FOR PRIVACY - XXXXXXXXX,C=ES
    root_darwin_test.go:96: off-EKU certificate only present in cgo pool (acceptable): CN=Xcode Server Builder (05/11/2018\, 09:57:44)
PASS
crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: AutoFirma ROOT returned 1
crypto/x509: 127.0.0.1 returned 2
crypto/x509: mycompanyname CA Servidores returned 2
crypto/x509: mycompanyname Servidores Autoridad de Certificacion Digital returned 2
crypto/x509: Global Root CA returned 1
crypto/x509: wifiaccess.mycompanyname.com returned 4
crypto/x509: vpnaas.es.datacenter.imycompanyname returned 1
crypto/x509: isepsncorpeditc2.imycompanyname returned 4
crypto/x509: link.live.es.platform.mycompanyname.com returned 4
crypto/x509: armadillo.smlb.secaas-live-es.ext.es.iaas.imycompanyname returned 4
crypto/x509: Xcode Server Builder (05/11/2018, 09:57:44) returned 2
crypto/x509: CN2 REMOVED FOR PRIVACY - XXXXXXXXX returned 2
crypto/x509: CN1 REMOVED FOR PRIVACY - XXXXXXXXX returned 2
crypto/x509: Global Root CA Work returned 1
crypto/x509: mycompanyname Autoridad de Certificacion Digital returned 1
crypto/x509: mycompanyname CA Raiz returned 1
ok      crypto/x509 (cached)
go get -v -u scm.es.datacenter.imycompanyname/connectors/titan_sql_protobuf (FAIL)
 ❯ GODEBUG=1 go get -v -u scm.es.datacenter.imycompanyname/connectors/titan_sql_protobuf
Fetching https://scm.es.datacenter.imycompanyname/connectors/titan_sql_protobuf?go-get=1
https fetch failed: Get https://scm.es.datacenter.imycompanyname/connectors/titan_sql_protobuf?go-get=1: x509: certificate signed by unknown authority
Fetching https://scm.es.datacenter.imycompanyname/connectors?go-get=1
https fetch failed: Get https://scm.es.datacenter.imycompanyname/connectors?go-get=1: x509: certificate signed by unknown authority
Fetching https://scm.es.datacenter.imycompanyname?go-get=1
https fetch failed: Get https://scm.es.datacenter.imycompanyname?go-get=1: x509: certificate signed by unknown authority
go get scm.es.datacenter.imycompanyname/connectors/titan_sql_protobuf: unrecognized import path "scm.es.datacenter.imycompanyname/connectors/titan_sql_protobuf" (https fetch: Get https://scm.es.datacenter.imycompanyname/connectors/titan_sql_protobuf?go-get=1: x509: certificate signed by unknown authority)
gotip get -v -u scm.es.datacenter.imycompanyname/connectors/titan_sql_protobuf (also FAIL)
 ❯ GODEBUG=x509roots=1 gotip get -v -u scm.es.datacenter.imycompanyname/connectors/titan_sql_protobuf
Fetching https://scm.es.datacenter.imycompanyname/connectors/titan_sql_protobuf?go-get=1
crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: AutoFirma ROOT returned 1
crypto/x509: 127.0.0.1 returned 2
crypto/x509: mycompanyname CA Servidores returned 2
crypto/x509: mycompanyname Servidores Autoridad de Certificacion Digital returned 2
crypto/x509: Global Root CA returned 1
crypto/x509: wifiaccess.mycompanyname.com returned 4
crypto/x509: vpnaas.es.datacenter.imycompanyname returned 1
crypto/x509: isepsncorpeditc2.imycompanyname returned 4
crypto/x509: link.live.es.platform.mycompanyname.com returned 4
crypto/x509: armadillo.smlb.secaas-live-es.ext.es.iaas.imycompanyname returned 4
crypto/x509: Xcode Server Builder (05/11/2018, 09:57:44) returned 2
crypto/x509: CN2 REMOVED FOR PRIVACY - XXXXXXXXX returned 2
crypto/x509: CN1 REMOVED FOR PRIVACY - XXXXXXXXX returned 2
crypto/x509: Global Root CA Work returned 1
crypto/x509: mycompanyname Autoridad de Certificacion Digital returned 1
crypto/x509: mycompanyname CA Raiz returned 1
https fetch failed: Get https://scm.es.datacenter.imycompanyname/connectors/titan_sql_protobuf?go-get=1: x509: certificate signed by unknown authority
Fetching https://scm.es.datacenter.imycompanyname/connectors?go-get=1
https fetch failed: Get https://scm.es.datacenter.imycompanyname/connectors?go-get=1: x509: certificate signed by unknown authority
Fetching https://scm.es.datacenter.imycompanyname?go-get=1
https fetch failed: Get https://scm.es.datacenter.imycompanyname?go-get=1: x509: certificate signed by unknown authority
go get scm.es.datacenter.imycompanyname/connectors/titan_sql_protobuf: unrecognized import path "scm.es.datacenter.imycompanyname/connectors/titan_sql_protobuf" (https fetch: Get https://scm.es.datacenter.imycompanyname/connectors/titan_sql_protobuf?go-get=1: x509: certificate signed by unknown authority)
dadrian commented 5 years ago

@FiloSottile tests passed for me.

$ GODEBUG=x509roots=1 gotip test -v -run TestSystemRoots crypto/x509

=== RUN   TestSystemRoots
crypto/x509: 3 certs have a trust policy
crypto/x509: verify-cert approved CN=X Proto CA,OU=0x21,O=University of Michigan,L=Ann Arbor,ST=Michigan,C=US
crypto/x509: verify-cert approved CN=radius.umnet.umich.edu,OU=Information Technology Services,O=University of Michigan,POSTALCODE=48105-3640,L=Ann Arbor,ST=MI,C=US
crypto/x509: verify-cert rejected CN=dlv-cert: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=radius.umnet.umich.edu,OU=Information Technology Services,O=University of Michigan,POSTALCODE=48105-3640,L=Ann Arbor,ST=MI,C=US
crypto/x509: ran security verify-cert 4 times
--- PASS: TestSystemRoots (0.63s)
    root_darwin_test.go:34:     cgo sys roots: 315.417942ms
    root_darwin_test.go:35: non-cgo sys roots: 245.18544ms
    root_darwin_test.go:76: signed certificate only present in non-cgo pool (acceptable): CN=radius.umnet.umich.edu,OU=Information Technology Services,O=University of Michigan,POSTALCODE=48105-3640,L=Ann Arbor,ST=MI,C=US
    root_darwin_test.go:76: signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
    root_darwin_test.go:96: off-EKU certificate only present in cgo pool (acceptable): CN=dlv-cert
PASS
crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: dlv-cert returned 1
crypto/x509: X Proto CA returned 1
crypto/x509: radius.umnet.umich.edu returned 4
ok      crypto/x509 0.648s
FiloSottile commented 5 years ago

@cvigo Hmm, that's weird because the tests pass, suggesting cgo and non-cgo agree, and the debug output suggests "Global Root CA" was added to the pool. Is the chain well-formed, with all the necessary intermediates?

cvigo commented 5 years ago

OMG... Just found this:

When I reported the issue, the Cert chain was: image image image

Global Root CA was set by me as "Always Trust", the intermediate Global Issuing CA Infrastructure and the final Cert were, therefore, implicitly trusted and reported as valid by Google Chrome and curl, but rejected by go get and go mod

Now I changed the intermediate Global Issuing CA Infrastructure from "Use Syetem Defaults" to explicit "Always Trust" and everything works, including go 1.11.3

image image

I thought the trustworthiness would be inherited from the root certificate down the tree and, actually, that is the case for browsers including curl, but Go is behaving differently.

FiloSottile commented 5 years ago

It is indeed supposed to be inherited, so that's not intended behavior, if the server sends a full chain including the intermediate. There might also be something about the root CA that makes it disqualified from forming chains, if you can share it at filippo@golang.org I can look into that.

cvigo commented 5 years ago

It is indeed supposed to be inherited, so that's not intended behavior, if the server sends a full chain including the intermediate. There might also be something about the root CA that makes it disqualified from forming chains, if you can share it at filippo@golang.org I can look into that.

Done, thanks!!

diligiant commented 5 years ago

@FiloSottile failed

gotip version
go version devel +5efe9a8 Wed Jan 9 07:21:16 2019 +0000 darwin/amd64
 GODEBUG=x509roots=1 gotip test -v -run TestSystemRoots crypto/x509
=== RUN   TestSystemRoots
crypto/x509: 2 certs have a trust policy
crypto/x509: verify-cert rejected CN=com.apple.servermgrd,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
crypto/x509: verify-cert approved CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
crypto/x509: ran security verify-cert 3 times
Number of trusted certs = 1
Cert 0: sks-keyservers.net CA
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
Number of trusted certs = 1
Cert 0: com.apple.servermgrd
   Number of trust settings : 0
--- FAIL: TestSystemRoots (0.52s)
    root_darwin_test.go:35:     cgo sys roots: 221.194313ms
    root_darwin_test.go:36: non-cgo sys roots: 153.880594ms
    root_darwin_test.go:77: certificate only present in non-cgo pool: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO (verify error: x509: certificate signed by unknown authority)
    root_darwin_test.go:79: signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
    root_darwin_test.go:106: expired certificate only present in cgo pool (acceptable): CN=com.apple.servermgrd,C=US
FAIL
crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: com.apple.servermgrd returned 1
crypto/x509: sks-keyservers.net CA returned 4
FAIL    crypto/x509 0.543s
dmitshur commented 5 years ago

Latest tip (commit 99ea99ec4c) passed on my personal Mac with macOS Mojave 10.14.2 (18C54).


``` $ ../bin/go version go version devel +99ea99ec4c Wed Jan 9 14:49:46 2019 +0000 darwin/amd64 $ GODEBUG=x509roots=1 ../bin/go test -v -run TestSystemRoots crypto/x509 === RUN TestSystemRoots crypto/x509: exec ["/usr/bin/security" "trust-settings-export" "/var/folders/b8/66r1c5856mqds1mrf2tjtq8w0000gn/T/x509trustpolicy762449975/user"]: exit status 1, SecTrustSettingsCreateExternalRepresentation: No Trust Settings were found. crypto/x509: exec ["/usr/bin/security" "trust-settings-export" "-d" "/var/folders/b8/66r1c5856mqds1mrf2tjtq8w0000gn/T/x509trustpolicy762449975/admin"]: exit status 1, SecTrustSettingsCreateExternalRepresentation: No Trust Settings were found. crypto/x509: 0 certs have a trust policy crypto/x509: ran security verify-cert 0 times --- PASS: TestSystemRoots (0.30s) root_darwin_test.go:35: cgo sys roots: 178.537621ms root_darwin_test.go:36: non-cgo sys roots: 96.198864ms root_darwin_test.go:79: signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US PASS crypto/x509: kSecTrustSettingsResultInvalid = 0 crypto/x509: kSecTrustSettingsResultTrustRoot = 1 crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2 crypto/x509: kSecTrustSettingsResultDeny = 3 crypto/x509: kSecTrustSettingsResultUnspecified = 4 ok crypto/x509 0.315s ```
zdjones commented 5 years ago

Failed on macOS High Sierra 10.13.6 (17G4015)

``` go $ devgo version go version devel +5538a9a34f Fri Jan 18 22:41:47 2019 +0000 darwin/amd64 go $ GODEBUG=x509roots=1 devgo test -v -run TestSystemRoots crypto/x509 ``` ``` === RUN TestSystemRoots crypto/x509: exec ["/usr/bin/security" "trust-settings-export" "-d" "/var/folders/7j/jp_42qg96kq95d514353znfc0000gn/T/x509trustpolicy901297289/admin"]: exit status 1, SecTrustSettingsCreateExternalRepresentation: No Trust Settings were found. crypto/x509: 1 certs have a trust policy crypto/x509: verify-cert approved CN=GD-ISE-1.msad.igl crypto/x509: verify-cert approved CN=GD-ISE-1.msad.igl crypto/x509: ran security verify-cert 2 times Number of trusted certs = 1 Cert 0: GD-ISE-1.msad.igl Number of trust settings : 3 Trust Setting 0: Policy OID : EAP Allowed Error : CSSMERR_TP_CERT_EXPIRED Result Type : kSecTrustSettingsResultTrustRoot Trust Setting 1: Policy OID : Apple X509 Basic Allowed Error : CSSMERR_TP_CERT_EXPIRED Result Type : kSecTrustSettingsResultTrustRoot Trust Setting 2: Allowed Error : CSSMERR_TP_CERT_EXPIRED Result Type : kSecTrustSettingsResultTrustRoot SecTrustSettingsCopyCertificates: No Trust Settings were found. --- FAIL: TestSystemRoots (0.50s) root_darwin_test.go:35: cgo sys roots: 222.450266ms root_darwin_test.go:36: non-cgo sys roots: 153.410374ms root_darwin_test.go:77: certificate only present in non-cgo pool: CN=GD-ISE-1.msad.igl (verify error: x509: certificate signed by unknown authority) root_darwin_test.go:79: signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US FAIL crypto/x509: kSecTrustSettingsResultInvalid = 0 crypto/x509: kSecTrustSettingsResultTrustRoot = 1 crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2 crypto/x509: kSecTrustSettingsResultDeny = 3 crypto/x509: kSecTrustSettingsResultUnspecified = 4 crypto/x509: GD-ISE-1.msad.igl returned 4 FAIL crypto/x509 0.525s ```
vdemario commented 5 years ago

Tests are passing for me now! Yay 🎉 Sorry for the delay.

gopherbot commented 5 years ago

Change https://golang.org/cl/162860 mentions this issue: [release-branch.go1.11] crypto/x509: fix root CA extraction on macOS (cgo path)

gopherbot commented 5 years ago

Change https://golang.org/cl/162861 mentions this issue: [release-branch.go1.11] crypto/x509: fix root CA extraction on macOS (no-cgo path)

Lax77 commented 5 years ago

I am running go 1.11.5 version on Mac 10.13.6 version, I keep getting the x509: certificate signed by unknown authority when I try to get dependencies. eg: k8s.io/api. My gotip test result is a pass for me though. All I was doing is trying to fetch dependencies with operator-sdk. Any suggestions on how I can go about resolving it ?

$go get k8s.io/api

``` package k8s.io/api: unrecognized import path "k8s.io/api" (https fetch: Get https://k8s.io/api?go-get=1: x509: certificate signed by unknown authority) ```

$dep ensure

``` The following issues were found in Gopkg.toml: ✗ unable to deduce repository and source type for "k8s.io/cli-runtime": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/cli-runtime?go-get=1": Get https://k8s.io/cli-runtime?go-get=1: x509: certificate signed by unknown authority ✗ unable to deduce repository and source type for "k8s.io/helm": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/helm?go-get=1": Get https://k8s.io/helm?go-get=1: x509: certificate signed by unknown authority ✗ unable to deduce repository and source type for "k8s.io/kube-aggregator": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/kube-aggregator?go-get=1": Get https://k8s.io/kube-aggregator?go-get=1: x509: certificate signed by unknown authority ✗ unable to deduce repository and source type for "k8s.io/apimachinery": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/apimachinery?go-get=1": Get https://k8s.io/apimachinery?go-get=1: x509: certificate signed by unknown authority ✗ unable to deduce repository and source type for "k8s.io/kubernetes": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/kubernetes?go-get=1": Get https://k8s.io/kubernetes?go-get=1: x509: certificate signed by unknown authority ✗ unable to deduce repository and source type for "k8s.io/apiextensions-apiserver": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/apiextensions-apiserver?go-get=1": Get https://k8s.io/apiextensions-apiserver?go-get=1: x509: certificate signed by unknown authority ✗ unable to deduce repository and source type for "k8s.io/client-go": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/client-go?go-get=1": Get https://k8s.io/client-go?go-get=1: x509: certificate signed by unknown authority ✗ unable to deduce repository and source type for "k8s.io/kube-openapi": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/kube-openapi?go-get=1": Get https://k8s.io/kube-openapi?go-get=1: x509: certificate signed by unknown authority ✗ unable to deduce repository and source type for "k8s.io/api": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/api?go-get=1": Get https://k8s.io/api?go-get=1: x509: certificate signed by unknown authority ✗ unable to deduce repository and source type for "k8s.io/apiserver": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/apiserver?go-get=1": Get https://k8s.io/apiserver?go-get=1: x509: certificate signed by unknown authority ✗ unable to deduce repository and source type for "sigs.k8s.io/controller-runtime": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://sigs.k8s.io/controller-runtime?go-get=1": Get https://sigs.k8s.io/controller-runtime?go-get=1: x509: certificate signed by unknown authority ProjectRoot name validation failed```

FiloSottile commented 5 years ago

@Lax77 Please run the test from https://github.com/golang/go/issues/24652#issuecomment-447705308. If it passes, just wait for 1.11.6 or 1.12. If not, please open a new issue with the output and tag me.

(Locking this issue because we shipped a fix, it's getting hard to follow and we shouldn't keep pinging everyone. If you have a similar issue or if you run the tests and they fail, please open a new issue referencing this one and tagging me.)

gopherbot commented 4 years ago

Change https://golang.org/cl/227037 mentions this issue: crypto/x509: use Security.framework without cgo for roots on macOS