-
Notifications
You must be signed in to change notification settings - Fork 605
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: clarify self-signed certificate limitation. #1480
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
I don't think this is a good change. For most users, webpki is an implementation detail of the rustls default verifier. Even if/when we make the webpki verifier more explicit in the API (for example, by making callers pass a Instead, I think we should be upfront about this limitation and its nuances. For example, that it can be made to work by implementing a custom verifier, or how easy we can make it to support private CA setups. |
How about this?
Note I'm carefully avoiding saying "self-signed", which I think can be used to mean three different things:
|
That's better, although I would say we actually need to have the word "self-signed" in there to make unsophisticated users understand? Could just be a parenthetical "(these are often said to be self-signed certificates)". |
@bdaehlie Do you want to iterate on this with the suggested text from the feedback above, or would it be helpful if I adopted this and got it across the line? |
If you're able to take this over that would be great, thanks. |
f8ef8dd
to
e27461d
Compare
Codecov Report
@@ Coverage Diff @@
## main #1480 +/- ##
=======================================
Coverage 96.46% 96.46%
=======================================
Files 72 72
Lines 15105 15105
=======================================
Hits 14571 14571
Misses 534 534 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(fwiw)
e27461d
to
9a23112
Compare
The self-signed certificate limitation imposed by the default webpki certificate verifier is somewhat nuanced. This commit updates the README to reflect some of this nuance.
9a23112
to
71488bf
Compare
That is a limitation of webpki and should be noted there.
See this PR for webpki.