Deprecate tlsconfig.SystemCertPool

thaJeztah · thaJeztah · commit 593f13d26704 · 2026-03-23T23:35:38.000+01:00
The wrapper originally existed for historical compatibility reasons that no longer apply: - 55aadc3 removed the pre-Go-1.7 fallback implementation, leaving the wrapper mainly as a shim around x509.SystemCertPool. - 3723764 kept a Windows-specific exception because x509.SystemCertPool on Windows was not yet reliable at the time. - f652133 and 21876c5 preserved that behavior while the package continued to support older Go versions and older Windows handling. With current Go versions, x509.SystemCertPool is the correct API on all supported platforms, including Windows, and the old special-case is no longer needed. Keeping a package-local wrapper only adds indirection and retains stale historical behavior and comments. This change keeps the existing behavior of using the system trust store as the base when building non-exclusive root pools; it only deprecates the local wrapper in favor of the standard library entrypoint. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
diff --git a/tlsconfig/certpool.go b/tlsconfig/certpool.go
@@ -1,16 +1,12 @@
 package tlsconfig
 
-import (
-	"crypto/x509"
-	"runtime"
-)
+import "crypto/x509"
 
-// SystemCertPool returns a copy of the system cert pool,
-// returns an error if failed to load or empty pool on windows.
+// SystemCertPool returns a copy of the system cert pool.
+//
+// Deprecated: use [x509.SystemCertPool] instead.
+//
+//go:fix inline
 func SystemCertPool() (*x509.CertPool, error) {
-	certpool, err := x509.SystemCertPool()
-	if err != nil && runtime.GOOS == "windows" {
-		return x509.NewCertPool(), nil
-	}
-	return certpool, err
+	return x509.SystemCertPool()
 }
diff --git a/tlsconfig/config.go b/tlsconfig/config.go
@@ -84,7 +84,7 @@ func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {
 	if exclusivePool {
 		pool = x509.NewCertPool()
 	} else {
-		pool, err = SystemCertPool()
+		pool, err = x509.SystemCertPool()
 		if err != nil {
 			return nil, fmt.Errorf("failed to read system certificates: %v", err)
 		}
diff --git a/tlsconfig/config_test.go b/tlsconfig/config_test.go
@@ -183,9 +183,9 @@ func TestConfigServerTLSClientCASet(t *testing.T) {
 	if tlsConfig.ClientAuth != tls.VerifyClientCertIfGiven {
 		t.Fatal("ClientAuth was not set to what was in the options")
 	}
-	basePool, err := SystemCertPool()
+	basePool, err := x509.SystemCertPool()
 	if err != nil {
-		basePool = x509.NewCertPool()
+		t.Fatal("Failed to get SystemCertPool", err)
 	}
 	// because we are not enabling `ExclusiveRootPools`, any root pool will also contain the system roots
 	if tlsConfig.ClientCAs == nil || len(tlsConfig.ClientCAs.Subjects()) != len(basePool.Subjects())+2 { //nolint:staticcheck // Ignore SA1019: tlsConfig.ClientCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots.
@@ -441,9 +441,9 @@ func TestConfigClientTLSRootCAFileWithOneCert(t *testing.T) {
 	if err != nil || tlsConfig == nil {
 		t.Fatal("Unable to configure client TLS", err)
 	}
-	basePool, err := SystemCertPool()
+	basePool, err := x509.SystemCertPool()
 	if err != nil {
-		basePool = x509.NewCertPool()
+		t.Fatal("Failed to get SystemCertPool", err)
 	}
 	// because we are not enabling `ExclusiveRootPools`, any root pool will also contain the system roots
 	if tlsConfig.RootCAs == nil || len(tlsConfig.RootCAs.Subjects()) != len(basePool.Subjects())+2 { //nolint:staticcheck // Ignore SA1019: tlsConfig.ClientCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots.

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {`
`84`	`84`	`if exclusivePool {`
`85`	`85`	`pool = x509.NewCertPool()`
`86`	`86`	`} else {`
`87`		`- pool, err = SystemCertPool()`
	`87`	`+ pool, err = x509.SystemCertPool()`
`88`	`88`	`if err != nil {`
`89`	`89`	`return nil, fmt.Errorf("failed to read system certificates: %v", err)`
`90`	`90`	`}`
Original file line number	Diff line number	Diff line change
`@@ -183,9 +183,9 @@ func TestConfigServerTLSClientCASet(t *testing.T) {`
`183`	`183`	`if tlsConfig.ClientAuth != tls.VerifyClientCertIfGiven {`
`184`	`184`	`t.Fatal("ClientAuth was not set to what was in the options")`
`185`	`185`	`}`
`186`		`- basePool, err := SystemCertPool()`
	`186`	`+ basePool, err := x509.SystemCertPool()`
`187`	`187`	`if err != nil {`
`188`		`- basePool = x509.NewCertPool()`
	`188`	`+ t.Fatal("Failed to get SystemCertPool", err)`
`189`	`189`	`}`
`190`	`190`	// because we are not enabling `ExclusiveRootPools`, any root pool will also contain the system roots
`191`	`191`	`if tlsConfig.ClientCAs == nil \|\| len(tlsConfig.ClientCAs.Subjects()) != len(basePool.Subjects())+2 { //nolint:staticcheck // Ignore SA1019: tlsConfig.ClientCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots.`
`@@ -441,9 +441,9 @@ func TestConfigClientTLSRootCAFileWithOneCert(t *testing.T) {`
`441`	`441`	`if err != nil \|\| tlsConfig == nil {`
`442`	`442`	`t.Fatal("Unable to configure client TLS", err)`
`443`	`443`	`}`
`444`		`- basePool, err := SystemCertPool()`
	`444`	`+ basePool, err := x509.SystemCertPool()`
`445`	`445`	`if err != nil {`
`446`		`- basePool = x509.NewCertPool()`
	`446`	`+ t.Fatal("Failed to get SystemCertPool", err)`
`447`	`447`	`}`
`448`	`448`	// because we are not enabling `ExclusiveRootPools`, any root pool will also contain the system roots
`449`	`449`	`if tlsConfig.RootCAs == nil \|\| len(tlsConfig.RootCAs.Subjects()) != len(basePool.Subjects())+2 { //nolint:staticcheck // Ignore SA1019: tlsConfig.ClientCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots.`