Append Let's Encrypt ISRG Root X1 to cert pool

This is a workaround for older versions of android that do not trust the Let's Encrypt root certificate. https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40087
2025-10-13 20:11:19 -04:00 · 2023-06-12 20:34:41 -04:00 · 2023-06-12 20:34:41 -04:00 · f8eb86f24d
commit f8eb86f24d
parent 9edaee6547
2 changed files with 63 additions and 2 deletions
--- a/client/lib/rendezvous.go
+++ b/client/lib/rendezvous.go
@ -4,6 +4,7 @@
 package snowflake_client

 import (
+	"crypto/tls"
 	"errors"
 	"fmt"

@ -14,6 +15,7 @@ import (

 	"github.com/pion/webrtc/v3"
 	utls "github.com/refraction-networking/utls"
+	"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/certs"
 	"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/event"
 	"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/messages"
 	"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/nat"
@ -50,7 +52,10 @@ type BrokerChannel struct {
 // and TLSHandshakeTimeout settings. But we want to disable the default
 // ProxyFromEnvironment setting.
 func createBrokerTransport() http.RoundTripper {
-	transport := http.DefaultTransport.(*http.Transport)
+	tlsConfig := &tls.Config{
+		RootCAs: certs.GetRootCAs(),
+	}
+	transport := &http.Transport{TLSClientConfig: tlsConfig}
 	transport.Proxy = nil
 	transport.ResponseHeaderTimeout = 15 * time.Second
 	return transport
@ -70,7 +75,9 @@ func newBrokerChannelFromConfig(config ClientConfig) (*BrokerChannel, error) {
 		if err != nil {
 			return nil, fmt.Errorf("unable to create broker channel: %v", err)
 		}
-		utlsConfig := &utls.Config{}
+		utlsConfig := &utls.Config{
+			RootCAs: certs.GetRootCAs(),
+		}
 		brokerTransport = utlsutil.NewUTLSHTTPRoundTripper(utlsClientHelloID, utlsConfig, brokerTransport, config.UTLSRemoveSNI)
 	}