From 6be2ea18da13b332c5ab0c39653b556a1ab0351d Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Wed, 19 Nov 2025 16:49:24 +0100 Subject: [PATCH 1/6] Remove deprecated functions --- src/lib.rs | 26 -------------------------- 1 file changed, 26 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index 8669bf0..4fc795b 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -12,16 +12,6 @@ pub struct ProbeResult { pub cert_dir: Option, } -/// Probe the system for the directory in which CA certificates should likely be -/// found. -/// -/// This will only search known system locations. -#[doc(hidden)] -#[deprecated(note = "use `candidate_cert_dirs` instead")] -pub fn find_certs_dirs() -> Vec { - candidate_cert_dirs().map(Path::to_path_buf).collect() -} - /// Probe the system for the directory in which CA certificates should likely be /// found. /// @@ -53,15 +43,6 @@ pub fn candidate_cert_dirs() -> impl Iterator { .filter(|p| p.exists()) } -/// Deprecated as this isn't sound, use [`init_openssl_env_vars`] instead. -#[doc(hidden)] -#[deprecated(note = "this function is not safe, use `init_openssl_env_vars` instead")] -pub fn init_ssl_cert_env_vars() { - unsafe { - init_openssl_env_vars(); - } -} - /// Probe for SSL certificates on the system, then configure the SSL certificate `SSL_CERT_FILE` /// and `SSL_CERT_DIR` environment variables in this process for OpenSSL to use. /// @@ -82,13 +63,6 @@ pub unsafe fn init_openssl_env_vars() { try_init_openssl_env_vars(); } -/// Deprecated as this isn't sound, use [`try_init_openssl_env_vars`] instead. -#[doc(hidden)] -#[deprecated(note = "use try_init_openssl_env_vars instead, this function is not safe")] -pub fn try_init_ssl_cert_env_vars() -> bool { - unsafe { try_init_openssl_env_vars() } -} - /// Probe for SSL certificates on the system, then configure the SSL certificate `SSL_CERT_FILE` /// and `SSL_CERT_DIR` environment variables in this process for OpenSSL to use. /// From 16687cd823bd80ff17586dd4b0e658b9bffa1926 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Wed, 19 Nov 2025 16:49:37 +0100 Subject: [PATCH 2/6] Bump version to 0.2.0 --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index a4e81c5..3bfe257 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-probe" -version = "0.1.6" +version = "0.2.0" authors = ["Alex Crichton "] license = "MIT/Apache-2.0" repository = "https://github.com/alexcrichton/openssl-probe" From ceff82e64557a12f5b654a466ba01c3558a8e384 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Wed, 19 Nov 2025 16:52:30 +0100 Subject: [PATCH 3/6] Remove trivial wrapper function --- src/lib.rs | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index 4fc795b..84f549f 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -43,26 +43,6 @@ pub fn candidate_cert_dirs() -> impl Iterator { .filter(|p| p.exists()) } -/// Probe for SSL certificates on the system, then configure the SSL certificate `SSL_CERT_FILE` -/// and `SSL_CERT_DIR` environment variables in this process for OpenSSL to use. -/// -/// Preconfigured values in the environment variables will not be overwritten if the paths they -/// point to exist and are accessible. -/// -/// # Safety -/// -/// This function is not safe because it mutates the process's environment -/// variables which is generally not safe. See the [documentation in libstd][doc] -/// for information about why setting environment variables is not safe. -/// -/// If possible use the [`probe`] function and directly configure OpenSSL -/// methods instead of relying on environment variables. -/// -/// [doc]: https://doc.rust-lang.org/stable/std/env/fn.set_var.html#safety -pub unsafe fn init_openssl_env_vars() { - try_init_openssl_env_vars(); -} - /// Probe for SSL certificates on the system, then configure the SSL certificate `SSL_CERT_FILE` /// and `SSL_CERT_DIR` environment variables in this process for OpenSSL to use. /// From 660dd3990bd31ac07130c39ff94ca666cfbac25a Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Wed, 19 Nov 2025 16:53:20 +0100 Subject: [PATCH 4/6] Use top-down item ordering --- src/lib.rs | 122 ++++++++++++++++++++++++++--------------------------- 1 file changed, 61 insertions(+), 61 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index 84f549f..bb67446 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,48 +1,6 @@ use std::env; use std::path::{Path, PathBuf}; -/// The OpenSSL environment variable to configure what certificate file to use. -pub const ENV_CERT_FILE: &'static str = "SSL_CERT_FILE"; - -/// The OpenSSL environment variable to configure what certificates directory to use. -pub const ENV_CERT_DIR: &'static str = "SSL_CERT_DIR"; - -pub struct ProbeResult { - pub cert_file: Option, - pub cert_dir: Option, -} - -/// Probe the system for the directory in which CA certificates should likely be -/// found. -/// -/// This will only search known system locations. -pub fn candidate_cert_dirs() -> impl Iterator { - // see http://gagravarr.org/writing/openssl-certs/others.shtml - [ - "/var/ssl", - "/usr/share/ssl", - "/usr/local/ssl", - "/usr/local/openssl", - "/usr/local/etc/openssl", - "/usr/local/share", - "/usr/lib/ssl", - "/usr/ssl", - "/etc/openssl", - "/etc/pki/ca-trust/extracted/pem", - "/etc/pki/tls", - "/etc/ssl", - "/etc/certs", - "/opt/etc/ssl", // Entware - #[cfg(target_os = "android")] - "/data/data/com.termux/files/usr/etc/tls", - #[cfg(target_os = "haiku")] - "/boot/system/data/ssl", - ] - .iter() - .map(Path::new) - .filter(|p| p.exists()) -} - /// Probe for SSL certificates on the system, then configure the SSL certificate `SSL_CERT_FILE` /// and `SSL_CERT_DIR` environment variables in this process for OpenSSL to use. /// @@ -95,25 +53,6 @@ pub unsafe fn try_init_openssl_env_vars() -> bool { cert_file.is_some() || cert_dir.is_some() } -/// Check whether the OpenSSL `SSL_CERT_FILE` and/or `SSL_CERT_DIR` environment variable is -/// configured in this process with an existing file or directory. -/// -/// That being the case would indicate that certificates will be found successfully by OpenSSL. -/// -/// Returns `true` if either variable is set to an existing file or directory. -pub fn has_ssl_cert_env_vars() -> bool { - let probe = probe_from_env(); - probe.cert_file.is_some() || probe.cert_dir.is_some() -} - -fn probe_from_env() -> ProbeResult { - let var = |name| env::var_os(name).map(PathBuf::from).filter(|p| p.exists()); - ProbeResult { - cert_file: var(ENV_CERT_FILE), - cert_dir: var(ENV_CERT_DIR), - } -} - /// Probe the current system for the "cert file" and "cert dir" variables that /// OpenSSL typically requires. /// @@ -153,3 +92,64 @@ pub fn probe() -> ProbeResult { } result } + +/// Probe the system for the directory in which CA certificates should likely be +/// found. +/// +/// This will only search known system locations. +pub fn candidate_cert_dirs() -> impl Iterator { + // see http://gagravarr.org/writing/openssl-certs/others.shtml + [ + "/var/ssl", + "/usr/share/ssl", + "/usr/local/ssl", + "/usr/local/openssl", + "/usr/local/etc/openssl", + "/usr/local/share", + "/usr/lib/ssl", + "/usr/ssl", + "/etc/openssl", + "/etc/pki/ca-trust/extracted/pem", + "/etc/pki/tls", + "/etc/ssl", + "/etc/certs", + "/opt/etc/ssl", // Entware + #[cfg(target_os = "android")] + "/data/data/com.termux/files/usr/etc/tls", + #[cfg(target_os = "haiku")] + "/boot/system/data/ssl", + ] + .iter() + .map(Path::new) + .filter(|p| p.exists()) +} + +/// Check whether the OpenSSL `SSL_CERT_FILE` and/or `SSL_CERT_DIR` environment variable is +/// configured in this process with an existing file or directory. +/// +/// That being the case would indicate that certificates will be found successfully by OpenSSL. +/// +/// Returns `true` if either variable is set to an existing file or directory. +pub fn has_ssl_cert_env_vars() -> bool { + let probe = probe_from_env(); + probe.cert_file.is_some() || probe.cert_dir.is_some() +} + +fn probe_from_env() -> ProbeResult { + let var = |name| env::var_os(name).map(PathBuf::from).filter(|p| p.exists()); + ProbeResult { + cert_file: var(ENV_CERT_FILE), + cert_dir: var(ENV_CERT_DIR), + } +} + +pub struct ProbeResult { + pub cert_file: Option, + pub cert_dir: Option, +} + +/// The OpenSSL environment variable to configure what certificate file to use. +pub const ENV_CERT_FILE: &'static str = "SSL_CERT_FILE"; + +/// The OpenSSL environment variable to configure what certificates directory to use. +pub const ENV_CERT_DIR: &'static str = "SSL_CERT_DIR"; From 1ebec0b70fc8e7c9379417ee3c8f5d6ab6f412c2 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Wed, 19 Nov 2025 16:56:20 +0100 Subject: [PATCH 5/6] Move probe_from_env() to ProbeResult::from_env() --- src/lib.rs | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index bb67446..d87c8d1 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -58,7 +58,7 @@ pub unsafe fn try_init_openssl_env_vars() -> bool { /// /// The probe result is returned as a [`ProbeResult`] structure here. pub fn probe() -> ProbeResult { - let mut result = probe_from_env(); + let mut result = ProbeResult::from_env(); for certs_dir in candidate_cert_dirs() { // cert.pem looks to be an openssl 1.0.1 thing, while // certs/ca-certificates.crt appears to be a 0.9.8 thing @@ -131,23 +131,25 @@ pub fn candidate_cert_dirs() -> impl Iterator { /// /// Returns `true` if either variable is set to an existing file or directory. pub fn has_ssl_cert_env_vars() -> bool { - let probe = probe_from_env(); + let probe = ProbeResult::from_env(); probe.cert_file.is_some() || probe.cert_dir.is_some() } -fn probe_from_env() -> ProbeResult { - let var = |name| env::var_os(name).map(PathBuf::from).filter(|p| p.exists()); - ProbeResult { - cert_file: var(ENV_CERT_FILE), - cert_dir: var(ENV_CERT_DIR), - } -} - pub struct ProbeResult { pub cert_file: Option, pub cert_dir: Option, } +impl ProbeResult { + fn from_env() -> ProbeResult { + let var = |name| env::var_os(name).map(PathBuf::from).filter(|p| p.exists()); + ProbeResult { + cert_file: var(ENV_CERT_FILE), + cert_dir: var(ENV_CERT_DIR), + } + } +} + /// The OpenSSL environment variable to configure what certificate file to use. pub const ENV_CERT_FILE: &'static str = "SSL_CERT_FILE"; From 0b62edc8ceb45a8afe1dbfd97d7165c4d34cf307 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Wed, 19 Nov 2025 16:58:34 +0100 Subject: [PATCH 6/6] Extract consts for file and directory lists --- src/lib.rs | 81 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 42 insertions(+), 39 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index d87c8d1..27c6895 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -60,22 +60,8 @@ pub unsafe fn try_init_openssl_env_vars() -> bool { pub fn probe() -> ProbeResult { let mut result = ProbeResult::from_env(); for certs_dir in candidate_cert_dirs() { - // cert.pem looks to be an openssl 1.0.1 thing, while - // certs/ca-certificates.crt appears to be a 0.9.8 thing - let cert_filenames = [ - "cert.pem", - "certs.pem", - "ca-bundle.pem", - "cacert.pem", - "ca-certificates.crt", - "certs/ca-certificates.crt", - "certs/ca-root-nss.crt", - "certs/ca-bundle.crt", - "CARootCertificates.pem", - "tls-ca-bundle.pem", - ]; if result.cert_file.is_none() { - result.cert_file = cert_filenames + result.cert_file = CERTIFICATE_FILE_NAMES .iter() .map(|fname| certs_dir.join(fname)) .find(|p| p.exists()); @@ -98,30 +84,10 @@ pub fn probe() -> ProbeResult { /// /// This will only search known system locations. pub fn candidate_cert_dirs() -> impl Iterator { - // see http://gagravarr.org/writing/openssl-certs/others.shtml - [ - "/var/ssl", - "/usr/share/ssl", - "/usr/local/ssl", - "/usr/local/openssl", - "/usr/local/etc/openssl", - "/usr/local/share", - "/usr/lib/ssl", - "/usr/ssl", - "/etc/openssl", - "/etc/pki/ca-trust/extracted/pem", - "/etc/pki/tls", - "/etc/ssl", - "/etc/certs", - "/opt/etc/ssl", // Entware - #[cfg(target_os = "android")] - "/data/data/com.termux/files/usr/etc/tls", - #[cfg(target_os = "haiku")] - "/boot/system/data/ssl", - ] - .iter() - .map(Path::new) - .filter(|p| p.exists()) + CERTIFICATE_DIRS + .iter() + .map(Path::new) + .filter(|p| p.exists()) } /// Check whether the OpenSSL `SSL_CERT_FILE` and/or `SSL_CERT_DIR` environment variable is @@ -150,6 +116,43 @@ impl ProbeResult { } } +// see http://gagravarr.org/writing/openssl-certs/others.shtml +const CERTIFICATE_DIRS: &[&str] = &[ + "/var/ssl", + "/usr/share/ssl", + "/usr/local/ssl", + "/usr/local/openssl", + "/usr/local/etc/openssl", + "/usr/local/share", + "/usr/lib/ssl", + "/usr/ssl", + "/etc/openssl", + "/etc/pki/ca-trust/extracted/pem", + "/etc/pki/tls", + "/etc/ssl", + "/etc/certs", + "/opt/etc/ssl", // Entware + #[cfg(target_os = "android")] + "/data/data/com.termux/files/usr/etc/tls", + #[cfg(target_os = "haiku")] + "/boot/system/data/ssl", +]; + +// cert.pem looks to be an openssl 1.0.1 thing, while +// certs/ca-certificates.crt appears to be a 0.9.8 thing +const CERTIFICATE_FILE_NAMES: &[&str] = &[ + "cert.pem", + "certs.pem", + "ca-bundle.pem", + "cacert.pem", + "ca-certificates.crt", + "certs/ca-certificates.crt", + "certs/ca-root-nss.crt", + "certs/ca-bundle.crt", + "CARootCertificates.pem", + "tls-ca-bundle.pem", +]; + /// The OpenSSL environment variable to configure what certificate file to use. pub const ENV_CERT_FILE: &'static str = "SSL_CERT_FILE";