core icon indicating copy to clipboard operation
core copied to clipboard
Published 6 days ago • verified publisher icon chatmail

Check platform/system TLS certificates

Open fitzsim opened this issue 1 month ago • 3 comments

Are there plans to support platform TLS certificates for verifying the IMAP server? I would like to use Delta Chat with an IMAP server verified by custom certificates installed under /etc on Fedora; however currently in Automatic and Strict modes, I get an UnknownIssuer error. I would rather not have to select AcceptInvalidCertificates.

I tested cargo add rustls-platform-verifier and the following patch:

diff --git a/src/net/tls.rs b/src/net/tls.rs
index fce4abcb9..58193bdf7 100644
--- a/src/net/tls.rs
+++ b/src/net/tls.rs
@@ -9,6 +9,8 @@
 
 use tokio_rustls::rustls::client::ClientSessionStore;
 
+use rustls_platform_verifier::BuilderVerifierExt;
+
 pub async fn wrap_tls<'a>(
     strict_tls: bool,
     hostname: &str,
@@ -94,11 +96,8 @@ pub async fn wrap_rustls<'a>(
     stream: impl SessionStream + 'a,
     tls_session_store: &TlsSessionStore,
 ) -> Result<impl SessionStream + 'a> {
-    let mut root_cert_store = tokio_rustls::rustls::RootCertStore::empty();
-    root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
-
     let mut config = tokio_rustls::rustls::ClientConfig::builder()
-        .with_root_certificates(root_cert_store)
+        .with_platform_verifier()?
         .with_no_client_auth();
     config.alpn_protocols = if alpn.is_empty() {
         vec![]

on my setup and it seemed to work (I patched v2.22.0 then built and swapped deltachat-rpc-client under the v2.22.0 deltachat-desktop RPM). That said, I know there may be too many portability implications of using system certificates, and mine is sort of a niche use case, so feel free to close this as "won't fix".

fitzsim avatar Nov 17 '25 00:11 fitzsim

We cannot use system certificate store by default because on Android this certificate store is often outdated and may not have Let's Encrypt root.

We can probably make another third option in addition to "strict" and "accept invalid certificates".

There is a similar discussion at https://github.com/stalwartlabs/stalwart/issues/247

link2xt avatar Nov 17 '25 12:11 link2xt

OK, thanks for the explanation. Rather than introduce another UI option, perhaps Strict mode could fall back to trying against platform certificates.

fitzsim avatar Nov 17 '25 22:11 fitzsim

I am still not sure we want to use platform certificates by default even as a fallback. Using system certificate store will not interact nicely with "add second device" feature: you may transfer your profile to another system which does not have the certificate, and then it cannot connect. Currently we have the same set of accepted certificates across all platforms given that you use the same version of webpki_roots.

link2xt avatar Nov 18 '25 16:11 link2xt