-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FreeBSD certs not found #28
Comments
As an update to this issue, it looks like the file /usr/local/share/certs/ca-root-nss.crt isn't searched because /usr/local/openssl/cert.pem also exists and is higher in the priority search order. |
Should all possible locations be searched and aggregated? |
I would think all possible locations should be searched and aggregated but
not sure if that would be a breaking change?
…On Tue, Sep 14, 2021 at 5:53 PM Benjamin Saunders ***@***.***> wrote:
Should all possible locations be searched and aggregated?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#28 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAK7YKAJ2GTHTDSTAXJZVQDUB7HABANCNFSM5EBATEIQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Would you mind submitting a PR for aggregating? It seems reasonable to me. |
I'm interested in this (as I believe it's ultimately something that is affecting one of the users of my project), and willing to submit a PR, however it looks like the precedence searching is actually internal to I'm a bit out of my depth with the internals here, but it looks like |
I just ran into the
But this crate only checks for ProbeResult::cert_file:
I suspect other tools that use probe() use both and that's why this works elsewhere. Still it seems odd to stop on the first file and directory. |
Okay, reading certs from I'm not sure this solves the issue originally described here but it appears fix the issue I had where no cert would be found at all on the system because there is only a /etc/ssl/certs/ here. |
Yeah we probably should. That would involve reading in files named in the Working through both |
@pgerber want to submit a PR for this? |
Can I assume the goal here is that rustls-native-certs is designed to be a OpenSSL drop-in replacement? In that case, we should probably try to be closer to what OpenSSL does, or at least what the openssl Crate does. Reading through (SSL_CTX_load_verify_locations), there is some differences: (Env. vars. are documented in openssl-env.) Certs are looked up based on hash and only when needed:
See also See also c_rehash. CAfile is searched first:
I also looked at openssl-probe a bit closer: SSL_CERT_FILE/SSL_CERT_DIR are already consulted when calling probe():
This implementation differs from the implementation (in my draft) in two ways: If we want to be compatible with OpenSSL, we should probably use this implementation. According Compilation and Installation: One is supposed to select default directory / file at build time:
So there is but one directory and one file searched and their paths are platform/OS/distribution-dependent. So, |
No, merely enough to obtain certificates for a variety of operating systems. That is why the current implementation is good enough for linux (because Your attached commit looks like an excellent start to me. |
Okay, having given this some though, I'll open a pull request with the following changes (as compared to my draft commit):
For the openssl-probe Crate:
Let me know if you disagree with this plan. |
I'm afraid it took me a bit longer than hoped but I just opened a pull request. I kind of gave up on trying to stick as close to OpenSSL as possible. OpenSSL, Curl, OpenSSL-rust, etc. all do things a bit different. I tried to add documentation/comments/tests to indicate behavior which some may feel is unexpected. |
The switch to Update: looks like |
I have a FreeBSD 13 system and I have uploaded my custom certs into /usr/local/share/certs/ca-root-nss.crt which allows OOTB curl to work. However, Rust programs (ex: rustup-init) built using rustls-native-certs do not check that location. I can work around the issue by setting the env variable SSL_CERT_FILE=/usr/local/share/certs/ca-root-nss.crt but I would like for that location to be searched by this crate.
The text was updated successfully, but these errors were encountered: