[client] use embedded root CA if system certpool is empty (#3272)

* Implement custom TLS certificate handling with fallback to embedded roots
2026-04-18 08:16:39 +00:00 · 2025-02-04 18:17:59 +03:00
parent 7d385b8dc3
commit 0125cd97d8
8 changed files with 160 additions and 6 deletions
--- a/relay/tls/client_dev.go
+++ b/relay/tls/client_dev.go
@@ -2,11 +2,25 @@

 package tls

-import "crypto/tls"
+import (
+	"crypto/tls"
+	"crypto/x509"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/util/embeddedroots"
+)

 func ClientQUICTLSConfig() *tls.Config {
+	certPool, err := x509.SystemCertPool()
+	if err != nil || certPool == nil {
+		log.Debugf("System cert pool not available; falling back to embedded cert, error: %v", err)
+		certPool = embeddedroots.Get()
+	}
+
 	return &tls.Config{
 		InsecureSkipVerify: true,             // Debug mode allows insecure connections
 		NextProtos:         []string{nbalpn}, // Ensure this matches the server's ALPN
+		RootCAs:            certPool,
 	}
 }
--- a/relay/tls/client_prod.go
+++ b/relay/tls/client_prod.go
@@ -2,10 +2,24 @@

 package tls

-import "crypto/tls"
+import (
+	"crypto/tls"
+	"crypto/x509"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/util/embeddedroots"
+)

 func ClientQUICTLSConfig() *tls.Config {
+	certPool, err := x509.SystemCertPool()
+	if err != nil || certPool == nil {
+		log.Debugf("System cert pool not available; falling back to embedded cert, error: %v", err)
+		certPool = embeddedroots.Get()
+	}
+
 	return &tls.Config{
 		NextProtos: []string{nbalpn},
+		RootCAs:    certPool,
 	}
 }