rustls-native-certs icon indicating copy to clipboard operation
rustls-native-certs copied to clipboard
verified publisher icon rustls

Account for "additional constraints" in the macOS (and Windows) certificate stores

Open briansmith opened this issue 3 years ago • 2 comments

From https://twitter.com/BasileBailey/status/1494801237694300161:

Just because a root certificate is in the built-in iOS/macOS trust store doesn't mean that it is trusted. Apple applies additional constraints via configuration updates to maintain a high-level of security. See https://support.apple.com/HT212865 for more detail.

It seems like this might be hinting that the approach taken by rustls-native-certs (and other libraries) is not valid/safe. This is something we already know from previous discussions.

I'm not sure what could reasonably be done other than deprecating this crate on macOS (and Windows) and replacing it with custom verification logic that uses the OS-provided APIs. I have done this at $work and we are open to open sourcing it.

briansmith avatar Feb 18 '22 23:02 briansmith

It sounds pretty clear that invoking OS verification APIs is the correct path forwards; I'd love to have a crate that does that to recommend for use with quinn.

Ralith avatar Feb 18 '22 23:02 Ralith

Hopefully should have something to share this summer, stay tuned 😄.

complexspaces avatar Jun 07 '22 20:06 complexspaces

PTAL at https://github.com/rustls/rustls-platform-verifier :-)

cpu avatar Mar 31 '23 17:03 cpu