Skip to content

Search only canonical paths on FreeBSD #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Search only canonical paths on FreeBSD #39

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 39 additions & 21 deletions src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,38 @@ pub const ENV_CERT_FILE: &'static str = "SSL_CERT_FILE";
/// The OpenSSL environment variable to configure what certificates directory to use.
pub const ENV_CERT_DIR: &'static str = "SSL_CERT_DIR";

// see http://gagravarr.org/writing/openssl-certs/others.shtml
#[cfg(not(target_os = "freebsd"))]
const CANDIDATE_CERT_DIRS: &'static [&'static str] = &[
"/var/ssl",
"/usr/share/ssl",
"/usr/local/ssl",
"/usr/local/openssl",
"/usr/local/etc/openssl",
"/usr/local/share",
"/usr/lib/ssl",
"/usr/ssl",
"/etc/openssl",
"/etc/pki/ca-trust/extracted/pem",
"/etc/pki/tls",
"/etc/ssl",
"/etc/certs",
"/opt/etc/ssl", // Entware
#[cfg(target_os = "android")]
"/data/data/com.termux/files/usr/etc/tls",
#[cfg(target_os = "haiku")]
"/boot/system/data/ssl",
];

// see manpage of certctl(8): https://man.freebsd.org/cgi/man.cgi?query=certctl&sektion=8
// see security/openssl* ports
#[cfg(target_os = "freebsd")]
const CANDIDATE_CERT_DIRS: &'static [&'static str] = &[
"/etc/ssl",
"/usr/local/etc/ssl",
"/usr/local/openssl",
];

pub struct ProbeResult {
pub cert_file: Option<PathBuf>,
pub cert_dir: Option<PathBuf>,
Expand All @@ -27,27 +59,7 @@ pub fn find_certs_dirs() -> Vec<PathBuf> {
///
/// This will only search known system locations.
pub fn candidate_cert_dirs() -> impl Iterator<Item = &'static Path> {
// see http://gagravarr.org/writing/openssl-certs/others.shtml
[
"/var/ssl",
"/usr/share/ssl",
"/usr/local/ssl",
"/usr/local/openssl",
"/usr/local/etc/openssl",
"/usr/local/share",
"/usr/lib/ssl",
"/usr/ssl",
"/etc/openssl",
"/etc/pki/ca-trust/extracted/pem",
"/etc/pki/tls",
"/etc/ssl",
"/etc/certs",
"/opt/etc/ssl", // Entware
#[cfg(target_os = "android")]
"/data/data/com.termux/files/usr/etc/tls",
#[cfg(target_os = "haiku")]
"/boot/system/data/ssl",
]
CANDIDATE_CERT_DIRS
.iter()
.map(Path::new)
.filter(|p| p.exists())
Expand Down Expand Up @@ -169,6 +181,7 @@ pub fn probe() -> ProbeResult {
for certs_dir in candidate_cert_dirs() {
// cert.pem looks to be an openssl 1.0.1 thing, while
// certs/ca-certificates.crt appears to be a 0.9.8 thing
#[cfg(not(target_os = "freebsd"))]
let cert_filenames = [
"cert.pem",
"certs.pem",
Expand All @@ -181,6 +194,11 @@ pub fn probe() -> ProbeResult {
"CARootCertificates.pem",
"tls-ca-bundle.pem",
];
#[cfg(target_os = "freebsd")]
Copy link
Member

@djc djc Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you actually need these? Why?

Copy link
Author

@michael-o michael-o Nov 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not necessarily, it just reduces the list because the other files will never exist by default with the other dirs I have supplied. "ca-root-nss.crt" is missing. I can it and collapse the list.

Sake of completeness.

Copy link
Member

@djc djc Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do you know they will never exist? Aren't users allowed to put stuff there?

Copy link
Author

@michael-o michael-o Nov 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In theory you are right, but

  • vast majority will use certlctl(8)
  • outside of depicted default paths you can always resort to the env vars (home grown)

Copy link
Author

@michael-o michael-o Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@djc Is your concern resolved?

Copy link
Member

@djc djc Nov 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ctz @cpu thoughts? I'm a bit wary of increasing future support requirements from future FreeBSD users if we limit this. On the other hand, maybe it's fine to try and get away with the shorter list.

let cert_filenames = [
"cert.pem",
"ca-root-nss.crt",
];
if result.cert_file.is_none() {
result.cert_file = cert_filenames
.iter()
Expand Down