-
Notifications
You must be signed in to change notification settings - Fork 612
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: Add note on unsupported self-signed certificates #1382
Conversation
@ctz now that we control webpki, do you want to maintain that self-signed certificates are a non-feature (that is, are intentionally not supported)? Or should we add an opt-in |
Codecov Report
@@ Coverage Diff @@
## main #1382 +/- ##
=======================================
Coverage 96.34% 96.34%
=======================================
Files 64 64
Lines 14808 14808
=======================================
Hits 14267 14267
Misses 541 541 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
Yes, I noticed there was a test rustls/connect-tests/tests/badssl.rs Line 126 in 1776e0b
|
4cc98b8
to
59b2c9c
Compare
My personal opinion is that this is helpful -- developers looking to use rustls might see this and know which configuration to use for self-signed certs, in tests especially. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR! I have a request for a change w.r.t the wording being added.
Sure, that makes sense to me. I'll change it. I'm on vacation for a week or so but will update afterwards. Thanks. |
@exdx Thanks, the update looks good. Could you squash the branch history down into just one commit updating |
I think such a thing would have to be a separate, explicit API at the webpki-level. Which would call for a separate, explicit API at the rustls level to call it. When people say "self-signed certificates", they are generally saying "turn off the security, I don't care" rather than asking caring much about the exact shape of the certificate chain -- we have an extension point and example code for doing that already. I'm not sure just changing webpki to deal with self signed certs would suffice either -- the certificates tend to come from openssl one-liners -- far away from what is acceptable under the BRs. It seems like it wouldn't be useful to say "we support self-signed certs, but you have a to have I think that it's generally harder to generate a reasonable self-signed certificate and pin it than just using something like |
I spoke too soon, as pointed out by CI failure I think the updated text needs to be in |
Sounds good, I'll take a look |
This clarifies the rustls position on self-signed certificates. Users writing tests using rustls should be aware that a self-signed cert won't work as expected. Signed-off-by: Dan Sover <dan.sover@avalabs.org>
34f9ad1
to
1e24e39
Compare
@cpu Updated! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Thanks for landing the revisions :-)
This clarifies the rustls position on self-signed certificates.
Users writing tests using rustls should be aware that a
self-signed cert won't work as expected.
Signed-off-by: Dan Sover dan.sover@avalabs.org