Support loading PEM files without rehash names #188
Comments
|
Why? What's your use case? |
|
We've encountered environments, often customer setups where the base image is optimized for Go applications. These images typically work out-of-the-box with Go's certificate loading logic. However, when running Rust applications in the same images, no certificates are loaded at all, leading to TLS failures. |
|
Sounds reasonable (who's we?). Would you be able to submit a PR in this direction? |
|
Wiz (https://www.wiz.io/) and sure ill build some PR, just to make sure we are clear on the direction, I'm removing the re_hash requirements on the loading of the PEMs |
|
Makes sense. We might want to consider if this should be optional behavior and if so, whether it should be opt-in or opt-out. |
Before I go on and send a PR about this, I wanted to make sure you guys agree with this change.
Basically today rustls-native-certs follows the same logic as OpenSSL in regards of loading certificates only if they have a value
rehash name.
As far as I understand from OpenSSL this is used mainly as a performance reasons for the case there are many certificates in
a given directory and it will help "identify" the correct one.
Looking at other implementations for loading certificates from the SSL_CERT_DIR you can see here in Go
https://go.dev/src/crypto/x509/root_unix.go
That they dont enforce the rehash names, and simply loads all the certificates in the directory.
I was wondering if you will be willing to have the same type logic as the Go variant which is more permissive.
The text was updated successfully, but these errors were encountered: