Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement SSL_CONF_cmd VerifyCAPath and VerifyCADir commands #33

Merged
merged 2 commits into from
Jun 26, 2024
Merged

Implement SSL_CONF_cmd VerifyCAPath and VerifyCADir commands #33

merged 2 commits into from
Jun 26, 2024

Conversation

cpu
Copy link
Member

@cpu cpu commented Jun 25, 2024
edited
Loading

This branch follows #29, #31 and #32 extending the existing SSL_CONF_xxx API to support the "VerifyCAPath" and "VerifyCADir" sub-commands. See man 3 SSL_CONF_cmd for more information. We have no support for the equivalent of CAPath and CADir (a root store for just path building, but not verification?) and so these related commands are not implemented.

We diverge slightly from the upstream here by re-using the existing SSL_CTX_set_default_verify_file and SSL_CTX_set_default_verify_dir logic. Taking this approach requires the minimum amount of fuss to support these configuration commands, but means we error later in the case of the file/directory being bogus - at the time we build a connection and a root trust store. Relatedly, we don't have all the pieces needed to support setting these paths for a SSL, just a SSL_CTX, so we skip implementing the commands after SSL_CONF_CTX_set_ssl - in practice Nginx only uses SSL_CONF_CTX_set_ssl_ctx so we can punt here for the time being.

This is the last of the SSL_CONF_cmd commands we can support without more unrelated compat work, so I've tacked on a commit calling out some of the cmds that might be worth implementing in the future after that work is completed.

Closes #22

@cpu cpu self-assigned this Jun 25, 2024
ctz
ctz reviewed Jun 26, 2024
View reviewed changes
rustls-libssl/tests/config.c Show resolved Hide resolved
rustls-libssl/tests/config.c Outdated Show resolved Hide resolved
cpu added 2 commits June 26, 2024 09:33
@cpu
conf: implement VerifyCAPath/VerifyCAFile commands
1d936b8
@cpu
conf: add a TODO for some future commands
34217a2 
Most of these will require implementing more logic elsewhere before we
can add a supported command.
@cpu cpu force-pushed the cpu-ssl-conf-verify-bundles branch from 01c520a to 34217a2 Compare June 26, 2024 13:33
@cpu cpu merged commit 1241d51 into rustls:main Jun 26, 2024
14 checks passed
@cpu cpu deleted the cpu-ssl-conf-verify-bundles branch June 26, 2024 13:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ctz ctz ctz approved these changes

Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement SSL_CONF_*
2 participants
@cpu @ctz