Skip to content

feat: native OS root CAs, custom cert impersonation fix, unknown extension tolerance#133

Merged
deedy5 merged 2 commits intomainfrom
dev
Mar 30, 2026
Merged

feat: native OS root CAs, custom cert impersonation fix, unknown extension tolerance#133
deedy5 merged 2 commits intomainfrom
dev

Conversation

@deedy5
Copy link
Copy Markdown
Owner

@deedy5 deedy5 commented Mar 30, 2026

Summary

1. Fix: ignore unknown TLS 1.3 certificate extensions

CertificateExtensions::read now ignores unrecognized extensions instead of
returning UnknownCertificateExtension error. This fixes connections to servers
that send signed_certificate_timestamp (18) or other valid CT extensions not
currently parsed by rustls. Consistent with ClientExtensions,
ServerExtensions, and NewSessionTicketExtensions which all ignore unknown
extensions. (RFC 8446 §4.4.2)

2. Add native OS root CAs and fix custom certs in impersonation path

  • Load native OS root CAs via rustls-native-certs alongside webpki roots,
    so connections trust system-installed certificates
  • Add merged_root_store() to combine cached default store with user-provided
    custom certs
  • Fix add_root_certificate() to pass certs through the impersonation TLS
    config (previously ignored when using TLS impersonation)
  • Simplify build() match logic from 6 arms to 2
  • Remove direct webpki-roots dependency from primp crate (now handled
    centrally in primp-reqwest)

deedy5 added 2 commits March 30, 2026 14:28
CertificateExtensions::read now ignores unrecognized extensions
instead of returning UnknownCertificateExtension error.

This fixes connections to servers that send
signed_certificate_timestamp (18) or other valid CT extensions
not currently parsed by rustls.

Consistent with ClientExtensions, ServerExtensions, and
NewSessionTicketExtensions which all ignore unknown extensions.
- Load native OS root CAs via rustls-native-certs alongside webpki roots
- Add merged_root_store() to combine cached defaults with user-provided certs
- Fix add_root_certificate() to pass certs through impersonation TLS config
- Simplify build() match logic
- Remove direct webpki-roots dependency from primp crate
@deedy5 deedy5 merged commit f5bf0cf into main Mar 30, 2026
78 of 81 checks passed
@deedy5 deedy5 deleted the dev branch March 30, 2026 11:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant