|
3 | 3 | **rustls-native-certs** allows [rustls](https://github.com/rustls/rustls) to use the |
4 | 4 | platform's native certificate store when operating as a TLS client. |
5 | 5 |
|
6 | | -This is supported on Windows, macOS and Linux: |
7 | | - |
8 | | -- On all platforms, the `SSL_CERT_FILE` environment variable is checked first. |
9 | | - If that's set, certificates are loaded from the path specified by that variable, |
10 | | - or an error is returned if certificates cannot be loaded from the given path. |
11 | | - If it's not set, then the platform-specific certificate source is used. |
12 | | -- On Windows, certificates are loaded from the system certificate store. |
13 | | - The [`schannel`](https://github.com/steffengy/schannel-rs) crate is used to access |
14 | | - the Windows certificate store APIs. |
15 | | -- On macOS, certificates are loaded from the keychain. |
16 | | - The user, admin and system trust settings are merged together as documented |
17 | | - by Apple. The [`security-framework`](https://github.com/kornelski/rust-security-framework) |
18 | | - crate is used to access the keystore APIs. |
19 | | -- On Linux and other UNIX-like operating systems, the |
20 | | - [`openssl-probe`](https://github.com/alexcrichton/openssl-probe) crate is used to discover |
21 | | - the filename of the system CA bundle. |
| 6 | +> [!IMPORTANT] |
| 7 | +> Instead of this crate, we suggest using [rustls-platform-verifier](https://github.com/rustls/rustls-platform-verifier) |
| 8 | +> instead, which provides a more robust solution with a simpler API. This crate is still |
| 9 | +> maintained, but mostly for use inside the platform verifier on platforms where no other |
| 10 | +> solution is available. For more context, see |
| 11 | +> [deployment considerations](https://github.com/rustls/rustls-platform-verifier?tab=readme-ov-file#deployment-considerations). |
22 | 12 |
|
23 | 13 | # Status |
24 | 14 | rustls-native-certs is currently in development. |
@@ -79,40 +69,22 @@ this sparingly. |
79 | 69 |
|
80 | 70 | See [`examples/google.rs`](examples/google.rs). |
81 | 71 |
|
82 | | -# Should I use this or `webpki-roots`? |
83 | | - |
84 | | -(Background: [webpki-roots](https://crates.io/crates/webpki-roots) is a crate that compiles-in Mozilla's set of root certificates.) |
85 | | - |
86 | | -This crate is preferable in many ways to *webpki-roots*. |
87 | | -To sum up the pros and cons: |
88 | | - |
89 | | -Pros: |
90 | | - |
91 | | -- **This crate respects local configuration of root certificates**: both |
92 | | - removal of roots that the user finds untrustworthy, and addition of locally-trusted roots. |
93 | | - _The latter case is exceedingly important if your application is required to work in |
94 | | - enterprise environments with "transparent" TLS-terminating middleboxes._ |
95 | | -- **This crate instantaneously reflects underlying system configuration**. _Since webpki-roots |
96 | | - compiles in root certificates, getting an update to these requires taking regular updates |
97 | | - to this crate, plus recompilation and redeployment of the application. This is a long-winded |
98 | | - process that may become a liability in the event of a severe misissuance._ |
99 | | -- **This crate is compatible with developer aids** such as [mkcert](https://github.com/FiloSottile/mkcert). |
100 | | - |
101 | | -Cons: |
102 | | - |
103 | | -- **Use of the OS certificate store is not the same as relying on OS trust verification** |
104 | | - because platform verifiers might impose additional criteria before deciding whether to trust |
105 | | - a root ostensibly included in the OS certificate store (for example, an expiration date). |
106 | | -- **The OS certificate store is occasionally "attacked" by [malware](https://en.wikipedia.org/wiki/Superfish)** |
107 | | - or just [bad software](https://sennheiser.zendesk.com/hc/en-us/articles/360011888254). |
108 | | -- **The OS update system may, in fact, be quite poor at keeping the root certificates up-to-date** |
109 | | - if it is disabled or out-of-support. |
110 | | -- **The quality of the `ca-certificates` package on debian-based Linux distributions is poor**. |
111 | | - At the time of writing, this ships many certificates not included in the Mozilla |
112 | | - set, either because they [failed an audit and were withdrawn](https://bugzilla.mozilla.org/show_bug.cgi?id=1448506) or |
113 | | - [were removed for mississuance](https://bugzilla.mozilla.org/show_bug.cgi?id=1552374). |
114 | | -- **You may prefer to insulate yourself against local configuration** for support or |
115 | | - (perhaps inadvisable) security reasons. |
| 72 | +# Platform support |
| 73 | + |
| 74 | +- On all platforms, the `SSL_CERT_FILE` environment variable is checked first. |
| 75 | + If that's set, certificates are loaded from the path specified by that variable, |
| 76 | + or an error is returned if certificates cannot be loaded from the given path. |
| 77 | + If it's not set, then the platform-specific certificate source is used. |
| 78 | +- On Windows, certificates are loaded from the system certificate store. |
| 79 | + The [`schannel`](https://github.com/steffengy/schannel-rs) crate is used to access |
| 80 | + the Windows certificate store APIs. |
| 81 | +- On macOS, certificates are loaded from the keychain. |
| 82 | + The user, admin and system trust settings are merged together as documented |
| 83 | + by Apple. The [`security-framework`](https://github.com/kornelski/rust-security-framework) |
| 84 | + crate is used to access the keystore APIs. |
| 85 | +- On Linux and other UNIX-like operating systems, the |
| 86 | + [`openssl-probe`](https://github.com/alexcrichton/openssl-probe) crate is used to discover |
| 87 | + the filename of the system CA bundle. |
116 | 88 |
|
117 | 89 | # License |
118 | 90 |
|
|
0 commit comments