tailscale/net/tlsdial
Andrew Dunham 2755f3843c health, net/tlsdial: add healthcheck for self-signed cert
When we make a connection to a server, we previously would verify with
the system roots, and then fall back to verifying with our baked-in
Let's Encrypt root if the system root cert verification failed.

We now explicitly check for, and log a health error on, self-signed
certificates. Additionally, we now always verify against our baked-in
Let's Encrypt root certificate and log an error if that isn't
successful. We don't consider this a health failure, since if we ever
change our server certificate issuer in the future older non-updated
versions of Tailscale will no longer be healthy despite being able to
connect.

Updates #3198

Change-Id: I00be5ceb8afee544ee795e3c7a2815476abc4abf
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
2023-02-01 23:17:41 -05:00
..
deps_test.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
tlsdial_test.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
tlsdial.go health, net/tlsdial: add healthcheck for self-signed cert 2023-02-01 23:17:41 -05:00