1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
moby--moby/vendor/github.com/google/certificate-transparency/README-MacOS.md
Akihiro Suda 5a1b06d7fd rerun vndr
* run latest vndr so as to collect more LICENSE files
 * remove unused packages
 * vendor github.com/philhofer/fwd with LICENSE.md (MIT)
 * vendor github.com/bsphere/le_go with LICENSE (MIT)

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2017-03-08 02:29:34 +00:00

2.1 KiB

OS X Specific Instructions

Builds

We recommend that you use GClient to build on OSX. Please follow the instructions in the main readme file.

Trusted root certificates

The CT code requires a set of trusted root certificates in order to:

  1. Validate outbound HTTPS connections
  2. (In the case of the log-server) decide whether to accept a certificate chain for inclusion.

On OSX, the system version of OpenSSL (0.9.8gz at time of writing) contains Apple-provided patches which intercept failed chain validations and re-attempts them using roots obtained from the system keychain. Since we use a much more recent (and unpatched) version of OpenSSL this behaviour is unsupported and so a PEM file containing the trusted root certs must be used.

To use a certificate PEM bundle file with the CT C++ code, the following methods may be used.

Incoming inclusion requests (ct-server only)

Set the --trusted_cert_file flag to point to the location of the PEM file containing the set of root certificates whose chains should be accepted for inclusion into the log.

For verifying outbound HTTPS connections (ct-mirror)

Either set the --trusted_roots_certs flag, or the SSL_CERT_FILE environment variable, to point to the location of the PEM file containing the root certificates to be used to verify the outbound HTTPS connection.

Sources of trusted roots

Obviously the choice of root certificates to trust for outbound HTTPS connections and incoming inclusion requests are a matter of operating policy, but it is often useful to have a set of common roots for testing and development at the very least.

While OSX ships with a set of common trusted roots, they are not directly available to OpenSSL and must be exported from the keychain first. This can be achieved with the following command:

security find-certificates -a -p /Library/Keychains/System.keychain > certs.pem
security find-certificates -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> certs.pem