Windows dynamically loads the root store. A fresh install ships with a minimal root pool that is necessary for fetching further roots. We use Windows APIs for verifying received certificates, and it's possible that while trying to verify a certificate, Windows is trying to fetch the relevant root from the Microsoft servers. If it cannot reach the internet, this call may block and cause the timeout.
On Friday, October 17, 2025 at 6:49:41 PM UTC-7 Jason E. Aten wrote: > > why did Openbao loading of system CAs took so long to load on > problematic Windows machine? > > I would write a Go test that sets up a TLS client connects to the server > repeatedly to see if it is consistent or variable. Then add prints with > timestamps that show where and when you are executing stuff > (technique demonstrated here https://github.com/glycerine/vprint ) > inside the BaoServer to see what is happening. > > https://go.dev/blog/execution-traces-2024 tracing might also be helpful. > > > Could access to internet be a factor ? > > Wireshark is what I think of here. https://www.wireshark.org/ lets you > record and inspect > all network traffic. If you have to, to read encrypted traffic in > Wireshark, you can dump the > session secret using > https://pkg.go.dev/crypto/tls#example-Config-KeyLogWriter > by hacking/seetting KeyLogWriter and then tell Wireshark about it and it > will give you > plaintext back when you are searching through packets. > > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/65b52f23-805b-44fc-837b-bb20d59fe0b7n%40googlegroups.com.
