the cert browser is trusted， but zcrypto Invalid display certificate？ - Githubissues

zmap / zcrypto

Liberal Go TLS + X.509 Library for Research

Other

134 stars 83 forks source link

the cert browser is trusted， but zcrypto Invalid display certificate？ #341

Closed chushuai closed 9 months ago

chushuai commented 2 years ago

https://new-proxy.shunwang.com/

the cert browser is trusted， but zcrypto Invalid display certificate

chushuai commented 2 years ago

does not load system default certificate
The zcrypto code
https://github.com/zmap/zcrypto/blob/master/x509/verify.go#L283

    if opts.Roots == nil {
        err = SystemRootsError{}
        return
    }

the golang crypto/tls


if opts.Roots == nil {
        opts.Roots = systemRootsPool()
        if opts.Roots == nil {
            return nil, SystemRootsError{systemRootsErr}
        }
    }

mzpqnxow commented 1 year ago

I believe this is by design, to provide flexibility

If you desire the same behavior as the upstream golang tls, you should set opt.roots = systemRootsPool() when calling that function

dadrian commented 9 months ago

Yes, this is intentional. You must provide your own roots when using ZCrypto.