Skip to content

Update certificate dirs and file names on FreeBSD #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
michael-o wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update certificate dirs and file names on FreeBSD #43

michael-o wants to merge 1 commit into from
+11 −3

Conversation

@michael-o
Copy link

@michael-o michael-o commented Dec 5, 2025

FreeBSD contains a canonical certstore managed by certctl(8) since 12.2 located in the base system (/etc/ssl), search there first. Alternatively, a user can populate a custom store in distbase (/usr/local/etc/ssl) with certctl(8) which shall be queried if the former does not exist. At last, there is a store for OpenSSL from the ports (/usr/local/openssl) outside of certctl(8)'s reach. Within these there can be also a bundle in parallel to a hashed directory.

This fixes #20 and fixes #37

FreeBSD port maintainer here.

Improvement on top of @djc's work: certctl(8)'s introduction on FreeBSD 12.2 make life much easier. CERTIFICATE_DIRS uses those two from it. Additionally from security/openssl*. /usr/local/share/certs is a source for certlctl(8) which ends up in either of them, thus would lead to duplicates. Extended CERTIFICATE_FILE_NAMES by those files created by certctl(8) from FreeBSD 15+ or ultimately for those who still install security/ca_root_nss which is included in /usr/share/certs/trusted anyway.

Sample code:

use openssl_probe::probe;
use curl::easy::Easy;

fn main() {
    let result = probe();

    match result.cert_file {
        Some(ref path) => println!("result.cert_file: {}", path.display()),
        None => println!("result.cert_file: None"),
    }

    if result.cert_dir.is_empty() {
        println!("result.cert_dir: None");
    } else {
        for path in &result.cert_dir {
            println!("result.cert_dir: {}", path.display());
        }
    }

 let mut data = Vec::new();
 let mut handle = Easy::new();
 handle.url("https://dw-eng-rsc.innomotics.net/").unwrap();
 {
     let mut transfer = handle.transfer();
     transfer.write_function(|new_data| {
         data.extend_from_slice(new_data);
         Ok(new_data.len())
     }).unwrap();
     transfer.perform().unwrap();
 }
}

Verification in a standalone application while removing and adding potential candidates:

cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ ./target/debug/openssl-probe-tester
result.cert_file: /etc/ssl/cert.pem
result.cert_dir: /etc/ssl/certs
cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ ./target/debug/openssl-probe-tester
result.cert_file: /usr/local/etc/ssl/cert.pem
result.cert_dir: /etc/ssl/certs
cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ ./target/debug/openssl-probe-tester
result.cert_file: /usr/local/share/certs/ca-root-nss.crt
result.cert_dir: /etc/ssl/certs
cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ vim ./target/debug/openssl-probe-tester
cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ vim src/main.rs
cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ ./target/debug/openssl-probe-tester
result.cert_file: None
result.cert_dir: /etc/ssl/certs
cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ ./target/debug/openssl-probe-tester
result.cert_file: None
result.cert_dir: /etc/ssl/certs
cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ ./target/debug/openssl-probe-tester
result.cert_file: None
result.cert_dir: None

thread 'main' (189247) panicked at src/main.rs:29:25:
called `Result::unwrap()` on an `Err` value: Error { description: "SSL peer certificate or SSH remote key was not OK", code: 60, extra: Some("SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)") }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ ./target/debug/openssl-probe-tester
result.cert_file: None
result.cert_dir: /etc/ssl/certs

Running against publically available servers as well as in-house with enterprise CA structure.

@michael-o
Update certificate dirs and file names on FreeBSD
e741775 
FreeBSD contains a canonical certstore managed by certctl(8) since 12.2 located
in the base system (/etc/ssl), search there first. Alternatively, a user can
populate a custom store in distbase (/usr/local/etc/ssl) with certctl(8) which
shall be queried if the former does not exist. At last, there is a store for
OpenSSL from the ports (/usr/local/openssl) outside of certctl(8)'s reach.
Within these there can be also a bundle in parallel to a hashed directory.

This fixes rustls#20 and fixes rustls#37
@michael-o michael-o mentioned this pull request Dec 5, 2025
Closed
@michael-o
Copy link
Author

michael-o commented Dec 7, 2025

Also built a custom version of uv, works flawlessly against in-house servers and public ones.

djc
djc reviewed Dec 8, 2025
View reviewed changes
src/lib.rs
"/etc/pki/tls/certs", // Fedora, RHEL
];

// see manpage of certctl(8): https://man.freebsd.org/cgi/man.cgi?query=certctl&sektion=8
Copy link
Member

@djc djc Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't find this all that helpful. The manpage mentions:

rehash	  Rebuild the list of trusted certificates by scanning all di-
		  rectories  in	 TRUSTPATH  and	 all untrusted certificates in
		  UNTRUSTPATH.	A copy of each trusted certificate  is	placed
		  in   CERTDESTDIR   and   each	  untrusted   certificate   in
		  UNTRUSTDESTDIR.   In	addition,  a  bundle  containing   the
		  trusted certificates is placed in BUNDLE.

and TRUSTPATH is defined as

TRUSTPATH       List  of	paths to search	for trusted certificates.  De-
		       fault:	 ${DESTDIR}${DISTBASE}/usr/share/certs/trusted
		       ${DESTDIR}${LOCALBASE}/share/certs/trusted
		       ${DESTDIR}${LOCALBASE}/share/certs

How do you get from this to /usr/local/etc/ssl/certs and /usr/local/openssl/certs?

src/lib.rs
Comment on lines +183 to +188
const CERTIFICATE_FILE_NAMES: &[&str] = &[
"/etc/ssl/cert.pem",
"/usr/local/etc/ssl/cert.pem",
"/usr/local/openssl/cert.pem",
"/usr/local/share/certs/ca-root-nss.crt",
];
Copy link
Member

@djc djc Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it makes sense to duplicate all of this here. Do all of these exist on your system? It seems to me that CERTIFICATE_FILE_NAMES is for the file that contains system-installed certificates whereas CERTIFICATE_DIRS is for user-installed certificates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djc djc djc left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

try_init_openssl_env_vars() breaks certificate validation (on FreeBSD) Freebsd certs not found

2 participants

@michael-o @djc