moby--moby/vendor/github.com/google/certificate-transparency/README-MacOS.md

OS X Specific Instructions
==========================

Builds
------

We recommend that you use GClient to build on OSX. Please follow the
instructions in the [main readme](README.md) file.

Trusted root certificates
-------------------------

The CT code requires a set of trusted root certificates in order to:
   1. Validate outbound HTTPS connections
   2. (In the case of the log-server) decide whether to accept a certificate
      chain for inclusion.

On OSX, the system version of OpenSSL (0.9.8gz at time of writing) contains
Apple-provided patches which intercept failed chain validations and re-attempts
them using roots obtained from the system keychain. Since we use a much more
recent (and unpatched) version of OpenSSL this behaviour is unsupported and so
a PEM file containing the trusted root certs must be used.

To use a certificate PEM bundle file with the CT C++ code, the following
methods may be used.

### Incoming inclusion requests (ct-server only)

Set the `--trusted_cert_file` flag to point to the location of the PEM file
containing the set of root certificates whose chains should be accepted for
inclusion into the log.

### For verifying outbound HTTPS connections (ct-mirror)

Either set the `--trusted_roots_certs` flag, or the `SSL_CERT_FILE`
environment variable, to point to the location of the PEM file containing the
root certificates to be used to verify the outbound HTTPS connection.

Sources of trusted roots
------------------------

Obviously the choice of root certificates to trust for outbound HTTPS
connections and incoming inclusion requests are a matter of operating policy,
but it is often useful to have a set of common roots for testing and
development at the very least.

While OSX ships with a set of common trusted roots, they are not directly
available to OpenSSL and must be exported from the keychain first.  This can be
achieved with the following command:

```bash
security find-certificates -a -p /Library/Keychains/System.keychain > certs.pem
security find-certificates -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> certs.pem
```
rerun vndr * run latest vndr so as to collect more LICENSE files * remove unused packages * vendor github.com/philhofer/fwd with LICENSE.md (MIT) * vendor github.com/bsphere/le_go with LICENSE (MIT) Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2017-03-06 09:17:55 +00:00			`OS X Specific Instructions`
			`==========================`

			`Builds`
			`------`

			`We recommend that you use GClient to build on OSX. Please follow the`
			`instructions in the [main readme](README.md) file.`

			`Trusted root certificates`
			`-------------------------`

			`The CT code requires a set of trusted root certificates in order to:`
			`1. Validate outbound HTTPS connections`
			`2. (In the case of the log-server) decide whether to accept a certificate`
			`chain for inclusion.`

			`On OSX, the system version of OpenSSL (0.9.8gz at time of writing) contains`
			`Apple-provided patches which intercept failed chain validations and re-attempts`
			`them using roots obtained from the system keychain. Since we use a much more`
			`recent (and unpatched) version of OpenSSL this behaviour is unsupported and so`
			`a PEM file containing the trusted root certs must be used.`

			`To use a certificate PEM bundle file with the CT C++ code, the following`
			`methods may be used.`

			`### Incoming inclusion requests (ct-server only)`

			Set the `--trusted_cert_file` flag to point to the location of the PEM file
			`containing the set of root certificates whose chains should be accepted for`
			`inclusion into the log.`

			`### For verifying outbound HTTPS connections (ct-mirror)`

			Either set the `--trusted_roots_certs` flag, or the `SSL_CERT_FILE`
			`environment variable, to point to the location of the PEM file containing the`
			`root certificates to be used to verify the outbound HTTPS connection.`

			`Sources of trusted roots`
			`------------------------`

			`Obviously the choice of root certificates to trust for outbound HTTPS`
			`connections and incoming inclusion requests are a matter of operating policy,`
			`but it is often useful to have a set of common roots for testing and`
			`development at the very least.`

			`While OSX ships with a set of common trusted roots, they are not directly`
			`available to OpenSSL and must be exported from the keychain first. This can be`
			`achieved with the following command:`

			```bash
			`security find-certificates -a -p /Library/Keychains/System.keychain > certs.pem`
			`security find-certificates -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> certs.pem`
			```