openssl 'Hashed Directory Method' not supported #9
Comments
|
This is likely a feature request on the openssl-probe crate |
|
That crate seems purely about locating the correct directory(s) in which to look, it does not actually locate certificates inside those directories. Also openssl-probe is used by other crates that use openssl (eg. native-tls, curl, git2-rs, etc) that would not need this functionality. This seems rustls specific, in that this crate is trying to help rustls have the same behavior as the native alternative when it comes to locating trusted certificates. |
|
Ah, yes, you're right. openssl-probe does actually support this already; since it returns both the bundle file and also the directory to look in. So I'll plan to get this done. |
|
Has this been addressed by #32 or is there additional work required? |
In addition to loading CA bundles, openssl also supports a Hashed Directory Method - with this method, openssl looks in the CA Directory for a file named after the hash of the desired certificate, with a '.{digit}' on the end.
In corp environments this can be used to install locally trusted certificates, without disturbing the vendor supplied bundle.
Maybe it's not possible to support this scheme via rustls, as you would need to by able to look up certificates in the root store dynamically - the rusttls api does not look like it supports that - but if that is the case it should be documented in the README (especially since the rationale given for using this package is to support locally installed trusted CAs).
The text was updated successfully, but these errors were encountered: