Calling openssl_env_init() on FreeBSD breaks certificate validation with the system default trutstore #1129
Comments
michael-o
added a commit
to michael-o/git2-rs
that referenced
this issue
Feb 24, 2025
…lang#1129) The heuristics in openssl-probe leave the process environment with an invalid value breaking the certificate validation on FreeBSD. FreeBSD has a system truststore managed by certctl(8). Leave it to OpenSSL to do the right thing. Upstream issue: alexcrichton/openssl-probe#37 This fixes rust-lang#1129
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Though, I have reported this upstream, but since git2-rs is a downstream consumer and effectively renders the process environment useless, therefore reporting here again.
init()callsopenssl_env_init()in good spirit, but completely breaks certificate validation becauseopenssl_probe::init_ssl_cert_env_vars()sets invalid environment variables. This directly affects cargo since it uses curl-rust which in turn uses system's OpenSSL.FreeBSD has a system default truststore managed by
certctl(8)which is wired with the system's OpenSSL. There is no need to override that in anyway unless the user wishes to. I have a working simple patch which solves the issue for FreeBSD. I cannot tell for other systems, but this call could be problematic somewhere else as well, thefore curl-rust adds an explict off-by-default config for it: https://github.com/alexcrichton/curl-rust/blob/da8ebac10b60458e73d32a9c5834b08c980d5b59/src/easy/handler.rs#L677PS: I am a FreeBSD committer.
The text was updated successfully, but these errors were encountered: