Do not call openssl_probe::init_ssl_cert_env_vars() on FreeBSD (#1129) #1130
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…lang#1129) The heuristics in openssl-probe leave the process environment with an invalid value breaking the certificate validation on FreeBSD. FreeBSD has a system truststore managed by certctl(8). Leave it to OpenSSL to do the right thing. Upstream issue: alexcrichton/openssl-probe#37 This fixes rust-lang#1129
michael-o
added a commit
to michael-o/freebsd-ports
that referenced
this pull request
Feb 24, 2025
Cargo uses curl-rust and git2-rs (which uses curl-rest as well). Unfortunately, git2-rs calls openssl_probe::init_ssl_cert_env_vars() unconditionally which breaks the process environment by setting an invalid value for SSL_CERT_DIR and then the system default truststore is circumvented, resulting in certificate validation errors even if certlctl(8) manages everything nicely. Upstream issues: * alexcrichton/openssl-probe#37 * rust-lang/git2-rs#1130 Reviewed by: jrm (mentor), otis (mentor), ... MFH: 2025Q1
|
@emaste FYI |
freebsd-git
pushed a commit
to freebsd/freebsd-ports
that referenced
this pull request
Mar 7, 2025
Cargo uses curl-rust and git2-rs (which uses curl-rest as well). Unfortunately, git2-rs calls openssl_probe::init_ssl_cert_env_vars() unconditionally which breaks the process environment by setting an invalid value for SSL_CERT_DIR and then the system default truststore is circumvented, resulting in certificate validation errors even if certctl(8) manages everything nicely. Upstream issues: * alexcrichton/openssl-probe#37 * rust-lang/git2-rs#1130 Reviewed by: jrm (mentor), mikael (rust) MFH: 2025Q1 Differential Revision: https://reviews.freebsd.org/D49120
freebsd-git
pushed a commit
to freebsd/freebsd-ports
that referenced
this pull request
Mar 7, 2025
Cargo uses curl-rust and git2-rs (which uses curl-rest as well). Unfortunately, git2-rs calls openssl_probe::init_ssl_cert_env_vars() unconditionally which breaks the process environment by setting an invalid value for SSL_CERT_DIR and then the system default truststore is circumvented, resulting in certificate validation errors even if certctl(8) manages everything nicely. Upstream issues: * alexcrichton/openssl-probe#37 * rust-lang/git2-rs#1130 Reviewed by: jrm (mentor), mikael (rust) MFH: 2025Q1 Differential Revision: https://reviews.freebsd.org/D49120 (cherry picked from commit 0780826)
|
Sorry, I don't know much about FreeBSD in this regard. @asomers do you perhaps have any knowledge here? Can you say why this wouldn't be a fix in |
Fro two reasons:
Don't set anything explicit if it works works flawless implicit: SSL_CTX_set_default_verify_paths I have already committed the patch downstream in FreeBSD's Rust port to fix Cargo, but this doesn't fix standalone use of this library: freebsd/freebsd-ports@0780826 |
|
Sorry @ehuss ; I'm not knowledgeable about this issue. |
|
@ehuss Do you have any objections/pain to merge this? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The heuristics in openssl-probe leave the process environment with an invalid value breaking the certificate validation on FreeBSD. FreeBSD has a system truststore managed by certctl(8). Leave it to OpenSSL to do the right thing.
Upstream issue: alexcrichton/openssl-probe#37
This fixes #1129