Fix the case of SSL_CERT_DIR containing number of paths#187
Conversation
Have you verified that OpenSSL on Windows uses (I also checked the 3.5 documentation says the same thing as the older 1.0.2 docs you linked) |
cpu
left a comment
cpu
left a comment
There was a problem hiding this comment.
Some initial comments from a quick review pass. Seems worth some unit test coverage as well.
You can see here how LIST_SEPARATOR_CHAR is defined for the split, in Windows it's semi-colon |
Fun, looks like there's both a C implementation of @arilou Are you open to filing an upstream OpenSSL bug to fix their documentation of |
|
|
Alright I'll try to get to changing it to a Vec from Option<Vec.. |
djc
left a comment
djc
left a comment
There was a problem hiding this comment.
Looking good modulo a few remaining nits. Thanks!
cpu
left a comment
cpu
left a comment
There was a problem hiding this comment.
Thanks for sticking with our feedback. I think the diff looks good :-)
Seems worth some unit test coverage as well.
Bumping this earlier comment I made. I won't block an approval on it, but it would be nice to have a small test or two to prevent accidental regression in the future. WDYT?
|
What type of test did you have in mind? |
According to OpenSSL docs SSL_CERT_DIR is an env seperated list of directories (for Unix it's colon on Windows it's semi-colon). Reference: https://docs.openssl.org/3.5/man1/openssl-rehash/#options Signed-off-by: Jon Doron <jond@wiz.io>
Ideally something that shows that specifying multiple |
Adds a test to ensure that SSL_CERT_DIR correctly handles multiple paths separated by the platform-specific separator (: on Unix, ; on Windows). The test sets up two temporary directories: * The first is left empty. * The second contains a copy of the test certificate. It then sets SSL_CERT_DIR to include both directories and calls check_site() to verify that the certificate is successfully loaded from the second path. Signed-off-by: Jon Doron <jond@wiz.io>
cpu
left a comment
cpu
left a comment
There was a problem hiding this comment.
Thanks, the new test looks good. I ran it locally since the smoketests are in a CI job that doesn't run for PRs:
$ git rev-parse HEAD
1438c63107b79309c958241ed08fa42f3cb790bc
$ cargo test ssl_cert_dir_multiple_paths_are_respected -- --ignored --exact
<snipped>
running 1 test
test ssl_cert_dir_multiple_paths_are_respected ... ok
test result: ok. 1 passed; 0 failed; 0 ignored; 0 measured; 11 filtered out; finished in 0.15s
## Summary Closes #16414 Adds support for the standard [SSL_CERT_DIR](https://docs.openssl.org/3.6/man3/SSL_CTX_load_verify_locations) which has gained recent proper support from [rustls-native-certs](rustls/rustls-native-certs#187) in v0.8.2. In addition, this PR clarifies documentation around `SSL_CERT_FILE` and `SSL_CERT_DIR` when used in combination with `UV_NATIVE_TLS` as mentioned in #16412 (comment) ## Test Plan Manually tested with custom cert chains in multiple directories and loading them via SSL_CERT_DIR. We didn't have tests for `SSL_CERT_FILE` or `SSL_CERT_DIR` environment variables so I added a basic one using our own test-only certificate generation and dummy https server. I also moved some things around for better reuse.
4 participants
According to OpenSSL docs SSL_CERT_DIR is an env seperated list of directories (for Unix it's colon on Windows it's semi-colon).
Reference:
https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html