Add a feature flag to disable resolving of TLS chain
In the past, the runner needed to resolve a full TLS certificate
chain, including the self-signed root, in order for Git clones to work
over HTTPS. Go 1.9 changed the behavior to present a partial
certificate chain if a trusted intermediate certificate were placed in
the system certificate directory
(https://github.com/golang/go/issues/24685).
!1581 (merged)
worked around that change by restoring the Go 1.8 behavior of
presenting the full chain in CI_SERVER_TLS_CA_FILE
.
libcurl v7.68 has since fixed the behavior to trust a certificate authority that is not self-signed (https://github.com/curl/curl/commit/94f1f771586913addf5c68f9219e176036c50115). As a result, the need to resolve the full chain is no longer necessary. As long as there is a trusted certificate authority in the chain, the TLS connection can proceed.
Go 1.18 modified Certificate.Verify
to use the macOS and
Windows-specific platform APIs. As a result, a root certificate signed
with a SHA-1 certificate will be rejected, which prevents the runner
from generating CI_SERVER_TLS_CA_FILE
. This may cause Git clones to
fail.
This commit adds a feature flag, FF_RESOLVE_FULL_TLS_CHAIN
, that is enabled by default. This flag makes it possible to disable this resolving of the full certificate chain. On most platforms, this can be disabled safely, assuming Git and other clients are compiled with an updated libcurl version.
Relates to #29373 (closed)