Gracefully handle invalid native root certificates #283
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CBenoit
force-pushed
the
fix-error-on-bad-root-cert
branch
3 times, most recently
from
2d61819
to
885104c
Compare
Before this patch, the `rustls::RootCertStore::add` method was used to add all the root certificates found by `rustls_native_certs` crate. This is a problem when an ancient or invalid certificate is present in the native root store. `rustls` documentation says the following: > This is suitable for a small set of root certificates that > are expected to parse successfully. For large collections of > roots (for example from a system store) it is expected that > some of them might not be valid according to the rules `rustls` > implements. As long as a relatively limited number of certificates > are affected, this should not be a cause for concern. Use > `RootCertStore::add_parsable_certificates` in order to add as many > valid roots as possible and to understand how many certificates have > been diagnosed as malformed. With this patch, `RootCertStore::add_parsable_certificates` is used instead for maximal compability with system store. > Parse the given DER-encoded certificates and add all that can be > parsed in a best-effort fashion. > > This is because large collections of root certificates often include > ancient or syntactically invalid certificates.
CBenoit
force-pushed
the
fix-error-on-bad-root-cert
branch
from
885104c
to
c3e09c4
Compare
|
Demonstration in my project: |
daniel-abramov
approved these changes
May 18, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Before this patch, the
rustls::RootCertStore::addmethod was used to add all the root certificates found byrustls_native_certscrate. This is a problem when an ancient or invalid certificate is present in the native root store.rustlsdocumentation says the following:With this patch,
RootCertStore::add_parsable_certificatesis used instead for maximal compability with system store.