rustls-native-certs icon indicating copy to clipboard operation
rustls-native-certs copied to clipboard

Published 20 hours ago verified publisher icon rustls

openssl 'Hashed Directory Method' not supported

Open harmic opened this issue 4 years ago • 5 comments

In addition to loading CA bundles, openssl also supports a Hashed Directory Method - with this method, openssl looks in the CA Directory for a file named after the hash of the desired certificate, with a '.{digit}' on the end.

In corp environments this can be used to install locally trusted certificates, without disturbing the vendor supplied bundle.

Maybe it's not possible to support this scheme via rustls, as you would need to by able to look up certificates in the root store dynamically - the rusttls api does not look like it supports that - but if that is the case it should be documented in the README (especially since the rationale given for using this package is to support locally installed trusted CAs).

harmic avatar Jun 01 '20 02:06 harmic

This is likely a feature request on the openssl-probe crate

ctz avatar Jun 21 '20 15:06 ctz

That crate seems purely about locating the correct directory(s) in which to look, it does not actually locate certificates inside those directories. Also openssl-probe is used by other crates that use openssl (eg. native-tls, curl, git2-rs, etc) that would not need this functionality.

This seems rustls specific, in that this crate is trying to help rustls have the same behavior as the native alternative when it comes to locating trusted certificates.

harmic avatar Jul 02 '20 03:07 harmic

Ah, yes, you're right. openssl-probe does actually support this already; since it returns both the bundle file and also the directory to look in. So I'll plan to get this done.

ctz avatar Jul 05 '20 18:07 ctz

Has this been addressed by https://github.com/rustls/rustls-native-certs/pull/32 or is there additional work required?

cpu avatar Mar 31 '23 17:03 cpu