-
Notifications
You must be signed in to change notification settings - Fork 425
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ClientConfig
and RootCertStore
improvements
#2038
Comments
Note that rustls-platform-verifier devolves to rustls-native-certs (optionally with webpki-roots as fallback) on Linux, so it probably doesn't solve many problems if you consider Linux an important deployment target. I think cloning |
Ah, will remove it from OP then!
In that regard it would solve nothing, unfortunately, I would say both these problems are unrelated. |
So it seems your currently favored solution is to store client configs in the |
In the case of We have discussed this previously here: #1943 (comment).
These But initializing a new |
Goals
quinn::Endpoint
(Passquinn::Endpoint
for DoQ and DoH3 #2002).Problems
Storage
ResolverOpts
Storing
rustls::ClientConfig
inResolverOpts
is currently not possible for several reasons:ResolverOpts
requiresCopy
(RemoveCopy
fromResolverOpts
#2029).ResolverOpts
requiresDefault
([DON'T MERGE] RemoveDefault
fromResolverOpts
#2035).ResolverOpts
requiresDe/Serialize
.Copy
andDefault
can be removed, butDe/Serialize
would require one of the following solutions:De/Serialize
from `ResolverOpts. Though it's required in other crates: Separate defaultrustls::ClientConfig
for each protocol #2001 (comment).Deserialize
r forRustlsConfig
passing the native certificates error through ... somehow.Option<ClientConfig>
s andOption<Arc<RootCertStore>>
to createClientConfig
s when needed and storeRootCertStore
for re-usage. Will require a customPartialEq
implementation withArc::ptr_eq()
forRootCertStore
.GenericConnector
I have originally done this in #2001. Not sure what exactly the downside would be here, so this is my preferred solution right now.
If we decide on this course we could also potentially revert #2029.
A new type
This could be stored in a field inside
AsyncResolver
, which would be quite similar toGenericConnector
.Runtime root certificate store selection
I believe this would require to store
ClientConfig
somewhere else thenResolverOpts
. If we add fields toResolverOpts
that specify which store to use, already initializedClientConfig
s insideResolverOpts
would require to be re-initialized when changing those fields.We could mitigate this issue by making sure that
ResolverOpts
can never be accessed through the API again afterClientConfig
s are never initialized, which I believe is currently the case anyway. In this case I'm not sure why we would decide to store them inResolverOpts
anyway.Related issues and PRs
webpki-roots
andnative-certs
crate features #1943lazy_static
withonce_cell
#1944rustls::ClientConfig
for each protocol #2001QuicClientStreamBuilder::endpoint()
#2003quinn::Endpoint
for DoQ and DoH3 #2002webpki-roots
andnative-certs
crate features, take 2 #2005Copy
fromResolverOpts
#2029rustls::ClientConfig
for each protocol (take 2) #2031Default
fromResolverOpts
#2035The text was updated successfully, but these errors were encountered: