docs: Add note on unsupported self-signed certificates

[exdx]

This clarifies the rustls position on self-signed certificates.
Users writing tests using rustls should be aware that a
self-signed cert won't work as expected.

Signed-off-by: Dan Sover dan.sover@avalabs.org

[djc]

@ctz now that we control webpki, do you want to maintain that self-signed certificates are a non-feature (that is, are intentionally not supported)? Or should we add an opt-in dangerous_config() feature to support them somehow?

[codecov]

Codecov Report

Merging #1382 (34f9ad1) into main (cc201f5) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #1382   +/-   ##
=======================================
  Coverage   96.34%   96.34%           
=======================================
  Files          64       64           
  Lines       14808    14808           
=======================================
  Hits        14267    14267           
  Misses        541      541           

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[exdx]

Yes, I noticed there was a test

rustls/connect-tests/tests/badssl.rs

Line 126 in 1776e0b

#[cfg(feature = "dangerous_configuration")]

that supports self-signed certs but only in a dangerous configuration. I can update the PR to reflect that.

[exdx]

My personal opinion is that this is helpful -- developers looking to use rustls might see this and know which configuration to use for self-signed certs, in tests especially.

[cpu]

Thanks for the PR! I have a request for a change w.r.t the wording being added.

[exdx]

Thanks for the PR! I have a request for a change w.r.t the wording being added.

Sure, that makes sense to me. I'll change it. I'm on vacation for a week or so but will update afterwards. Thanks.

[exdx]

@djc @cpu I have went ahead and updated the README. The PR is ready to go now 👍

[cpu]

@exdx Thanks, the update looks good. Could you squash the branch history down into just one commit updating README.md?

[ctz]

now that we control webpki, do you want to maintain that self-signed certificates are a non-feature

I think such a thing would have to be a separate, explicit API at the webpki-level. Which would call for a separate, explicit API at the rustls level to call it.

When people say "self-signed certificates", they are generally saying "turn off the security, I don't care" rather than asking caring much about the exact shape of the certificate chain -- we have an extension point and example code for doing that already.

I'm not sure just changing webpki to deal with self signed certs would suffice either -- the certificates tend to come from openssl one-liners -- far away from what is acceptable under the BRs. It seems like it wouldn't be useful to say "we support self-signed certs, but you have a to have basicConstraints, and subjectAlternativeNames extensions" etc.

I think that it's generally harder to generate a reasonable self-signed certificate and pin it than just using something like mkcert?

[cpu]

@exdx Thanks, the update looks good.

I spoke too soon, as pointed out by CI failure I think the updated text needs to be in lib.rs and then updated in README.md with admin/pull-readme.

[exdx]

@exdx Thanks, the update looks good.

I spoke too soon, as pointed out by CI failure I think the updated text needs to be in lib.rs and then updated in README.md with admin/pull-readme.

Sounds good, I'll take a look

[exdx]

@cpu Updated!

[cpu]

Looks good. Thanks for landing the revisions :-)