On Thu, Dec 15, 2016 at 04:35:09PM +0000, Alex Flint wrote: > Does anyone know of a golang package that embeds (go-bindata or similar) a > reasonable standard set of CA roots?
No, but the common approach is to rely on the root CA set maintained by Mozilla. This should correspond to the latest Firefox release: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt You might want to check with your trusted distribution packager for some scripts to convert this into a format that's nicer to work with. See e.g. certdata2pem.py from Fedora or MAca-bundle.pl.in from FreeBSD ports. https://src.fedoraproject.org/cgit/rpms/ca-certificates.git/tree/ https://svnweb.freebsd.org/ports/head/security/ca_root_nss/files/ Or just use the ones from the binary packages and put them in the appropriate places within the file system so that the standard library will pick them up. Of course, the usual things apply, like that you if you ship it you're responsible for maintaining it, too. Regularly syncing with Mozilla upstream should be enough in this case. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.