webpki VS rust-openssl

Beyond that, various things like the ScyllaDB driver are using OpenSSL because WebPKI doesn't support validating connections to IP addresses (as opposed to DNS names) and RusTLS currently delegates to WebPKI.

There's a JIT framework in Rust: https://github.com/bytecodealliance/wasmtime

There's a library for doing full X.509 certificate parsing and verification: https://briansmith.org/rustdoc/webpki/

There's definitely some attempts at doing pure-Rust SSL, but I suspect a lot of them are also doing some sketchy things with crypto that shouldn't be trusted (getting constant-time stuff implemented properly is really challenging, and probably requires large amounts of assembly to guarantee correctness).

An issue was raised with webpki to support the IP addressees 5 years ago, and yet it's still not there. What do people use to overcome the fact that rustls can't do IP-based client connections because of it? My guess would be, they are switching to native-tls or openssl-tls.

Yes, rustls currently doesn't support certificates without hostnames (only an IP); this is actually an issue with the webpki crate, and work to solve it is ongoing (will hopefully land in a release in a few months or so).

> Bundling this set with Firefox

I love that they did that; it was actually my idea (https://bugzilla.mozilla.org/show_bug.cgi?id=657228). I believe the list is pretty large and changes frequently and so they download it dynamically.

> short cut to a "Yes"

Do they really do that? That's awesome if so. Then they don't even need to ship the roots.

> I specifically don't like [...] saying "unknown issuer"

https://github.com/briansmith/webpki/issues/221

> If std::fs::File::open() gives me Result with an io:Error that claims "File not found" but the underlying OS file open actually failed due to a permission error, you can see why that's a problem right? Even if this hypothetical OS doesn't expose any specific errors, "File not found" is misleading.

A more accurate analogy: You ask to open "example.txt" without supplying the path, and there is no "example.txt" in the current working directory. You will get "file not found."

Regardless, I agree we could have a better name than UnknownIssuer for this error.

I also studied this question on FFI several weeks ago in terms of "rewrite part of the system in Rust". Unexpected results could be semantic issues (e.g., different error handling methods) or security issues (FFI could be a soundness hole). I suggest going through the issues of libraries that have started rewriting work such as rust-openssl or rustls (This is the one trying to rewrite in whole rust rather than using FFI; however, you will not be able to find the mapping function in the C version and compare them). I hope this helps!

error: failed to run custom build command for `openssl-sys v0.9.76` Caused by: process didn't exit successfully: `/target/debug/build/openssl-sys-eaac1108fdec7ae2/build-script-main` (exit status: 101) --- stdout cargo:rustc-cfg=const_fn cargo:rustc-cfg=openssl cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR unset cargo:rerun-if-env-changed=OPENSSL_LIB_DIR OPENSSL_LIB_DIR unset cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR unset cargo:rerun-if-env-changed=OPENSSL_INCLUDE_DIR OPENSSL_INCLUDE_DIR unset cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR unset cargo:rerun-if-env-changed=OPENSSL_DIR OPENSSL_DIR unset cargo:rerun-if-env-changed=OPENSSL_NO_PKG_CONFIG cargo:rerun-if-env-changed=PKG_CONFIG_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG cargo:rerun-if-env-changed=PKG_CONFIG cargo:rerun-if-env-changed=OPENSSL_STATIC cargo:rerun-if-env-changed=OPENSSL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=SYSROOT cargo:rerun-if-env-changed=OPENSSL_STATIC cargo:rerun-if-env-changed=OPENSSL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC cargo:rustc-link-search=native=/usr/lib/aarch64-linux-gnu cargo:rustc-link-lib=ssl cargo:rustc-link-lib=crypto cargo:rerun-if-env-changed=PKG_CONFIG_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG cargo:rerun-if-env-changed=PKG_CONFIG cargo:rerun-if-env-changed=OPENSSL_STATIC cargo:rerun-if-env-changed=OPENSSL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-changed=build/expando.c OPT_LEVEL = Some("0") TARGET = Some("x86_64-unknown-linux-gnu") HOST = Some("x86_64-unknown-linux-gnu") CC_x86_64-unknown-linux-gnu = None CC_x86_64_unknown_linux_gnu = None HOST_CC = None CC = None CFLAGS_x86_64-unknown-linux-gnu = None CFLAGS_x86_64_unknown_linux_gnu = None HOST_CFLAGS = None CFLAGS = None CRATE_CC_NO_DEFAULTS = None DEBUG = Some("true") CARGO_CFG_TARGET_FEATURE = Some("fxsr,sse,sse2") running: "cc" "-O0" "-ffunction-sections" "-fdata-sections" "-fPIC" "-g" "-fno-omit-frame-pointer" "-m64" "-I" "/usr/include" "-Wall" "-Wextra" "-E" "build/expando.c" cargo:warning=build/expando.c:2:33: fatal error: openssl/opensslconf.h: No such file or directory cargo:warning=compilation terminated. exit status: 1 --- stderr thread 'main' panicked at ' Header expansion error: Error { kind: ToolExecError, message: "Command \"cc\" \"-O0\" \"-ffunction-sections\" \"-fdata-sections\" \"-fPIC\" \"-g\" \"-fno-omit-frame-pointer\" \"-m64\" \"-I\" \"/usr/include\" \"-Wall\" \"-Wextra\" \"-E\" \"build/expando.c\" with args \"cc\" did not execute successfully (status code exit status: 1)." } Failed to find OpenSSL development headers. You can try fixing this setting the `OPENSSL_DIR` environment variable pointing to your OpenSSL installation or installing OpenSSL headers package specific to your distribution: # On Ubuntu sudo apt-get install libssl-dev # On Arch Linux sudo pacman -S openssl # On Fedora sudo dnf install openssl-devel # On Alpine Linux apk add openssl-dev See rust-openssl README for more information: https://github.com/sfackler/rust-openssl#linux ', /cargo/registry/src/github.com-1ecc6299db9ec823/openssl-sys-0.9.76/build/main.rs:185:13 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace warning: build failed, waiting for other jobs to finish...

There is also https://github.com/sfackler/rust-openssl but not sure should I use it or not.

If you're in a situation where you think the directory should be found automatically, please open a bug at https://github.com/sfackler/rust-openssl and include information about your system as well as this message.

Failed to find OpenSSL development headers. You can try fixing this setting the `OPENSSL_DIR` environment variable pointing to your OpenSSL installation or installing OpenSSL headers package specific to your distribution: # On Ubuntu sudo apt-get install libssl-dev # On Arch Linux sudo pacman -S openssl # On Fedora sudo dnf install openssl-devel See rust-openssl README for more information: https://github.com/sfackler/rust-openssl#linux

$ cargo install rates Updating crates.io index Downloaded rates v0.2.0 Downloaded 1 crate (11.8 KB) in 0.70s Installing rates v0.2.0 Downloaded chrono v0.4.19 Downloaded futures-io v0.3.13 Downloaded futures-sink v0.3.13 Downloaded directories v3.0.1 Downloaded futures-channel v0.3.13 Downloaded futures-task v0.3.13 Downloaded futures-util v0.3.13 Downloaded hashbrown v0.9.1 Downloaded http-body v0.4.0 Downloaded httpdate v0.3.2 Downloaded httparse v1.3.5 Downloaded http v0.2.3 Downloaded hyper v0.14.4 Downloaded indexmap v1.6.1 Downloaded form_urlencoded v1.0.1 Downloaded h2 v0.3.1 Downloaded log v0.4.14 Downloaded num-traits v0.2.14 Downloaded openssl v0.10.32 Downloaded pin-utils v0.1.0 Downloaded openssl-sys v0.9.60 Downloaded pin-project-internal v1.0.5 Downloaded reqwest v0.11.1 Downloaded serde v1.0.123 Downloaded serde_urlencoded v0.7.0 Downloaded tinyvec_macros v0.1.0 Downloaded tinyvec v1.1.1 Downloaded tokio-native-tls v0.3.0 Downloaded syn v1.0.60 Downloaded url v2.2.1 Downloaded bytes v1.0.1 Downloaded tower-service v0.3.1 Downloaded tokio-util v0.6.3 Downloaded ipnet v2.3.0 Downloaded socket2 v0.3.19 Downloaded base64 v0.13.0 Downloaded want v0.3.0 Downloaded cc v1.0.67 Downloaded unicode-normalization v0.1.17 Downloaded mio v0.7.9 Downloaded tracing-core v0.1.17 Downloaded quote v1.0.9 Downloaded pin-project v1.0.5 Downloaded pin-project-lite v0.2.4 Downloaded try-lock v0.2.3 Downloaded serde_json v1.0.64 Downloaded native-tls v0.2.7 Downloaded num-integer v0.1.44 Downloaded hyper-tls v0.5.0 Downloaded futures-core v0.3.13 Downloaded tracing v0.1.25 Downloaded tokio v1.2.0 Downloaded idna v0.2.2 Downloaded libc v0.2.86 Downloaded encoding_rs v0.8.28 Downloaded 55 crates (5.4 MB) in 1.77s (largest was `encoding_rs` at 1.4 MB) Compiling autocfg v1.0.1 Compiling libc v0.2.86 Compiling cfg-if v1.0.0 Compiling log v0.4.14 Compiling pkg-config v0.3.19 Compiling cc v1.0.67 Compiling memchr v2.3.4 Compiling pin-project-lite v0.2.4 Compiling proc-macro2 v1.0.24 Compiling lazy_static v1.4.0 Compiling bytes v1.0.1 Compiling itoa v0.4.7 Compiling bitflags v1.2.1 Compiling unicode-xid v0.2.1 Compiling syn v1.0.60 Compiling futures-core v0.3.13 Compiling foreign-types-shared v0.1.1 Compiling fnv v1.0.7 Compiling openssl v0.10.32 Compiling matches v0.1.8 Compiling tinyvec_macros v0.1.0 Compiling hashbrown v0.9.1 Compiling futures-task v0.3.13 Compiling native-tls v0.2.7 Compiling slab v0.4.2 Compiling pin-utils v0.1.0 Compiling serde v1.0.123 Compiling ryu v1.0.5 Compiling futures-sink v0.3.13 Compiling futures-io v0.3.13 Compiling httparse v1.3.5 Compiling percent-encoding v2.1.0 Compiling try-lock v0.2.3 Compiling openssl-probe v0.1.2 Compiling httpdate v0.3.2 Compiling serde_json v1.0.64 Compiling encoding_rs v0.8.28 Compiling tower-service v0.3.1 Compiling unicode-width v0.1.8 Compiling strsim v0.8.0 Compiling base64 v0.13.0 Compiling vec_map v0.8.2 Compiling ipnet v2.3.0 Compiling mime v0.3.16 Compiling ansi_term v0.11.0 Compiling tokio v1.2.0 Compiling indexmap v1.6.1 Compiling num-traits v0.2.14 Compiling num-integer v0.1.44 Compiling tracing-core v0.1.17 Compiling futures-channel v0.3.13 Compiling foreign-types v0.3.2 Compiling http v0.2.3 Compiling unicode-bidi v0.3.4 Compiling tinyvec v1.1.1 Compiling openssl-sys v0.9.60 Compiling form_urlencoded v1.0.1 Compiling textwrap v0.11.0 Compiling tracing v0.1.25 Compiling http-body v0.4.0 Compiling unicode-normalization v0.1.17 Compiling num_cpus v1.13.0 Compiling socket2 v0.3.19 Compiling atty v0.2.14 Compiling dirs-sys v0.3.5 Compiling time v0.1.43 Compiling mio v0.7.9 Compiling want v0.3.0 error: failed to run custom build command for `openssl-sys v0.9.60` Caused by: process didn't exit successfully: `/tmp/cargo-installbxN90K/release/build/openssl-sys-704dca09387a20ed/build-script-main` (exit code: 101) --- stdout cargo:rustc-cfg=const_fn cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR unset cargo:rerun-if-env-changed=OPENSSL_LIB_DIR OPENSSL_LIB_DIR unset cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR unset cargo:rerun-if-env-changed=OPENSSL_INCLUDE_DIR OPENSSL_INCLUDE_DIR unset cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR unset cargo:rerun-if-env-changed=OPENSSL_DIR OPENSSL_DIR unset cargo:rerun-if-env-changed=OPENSSL_NO_PKG_CONFIG cargo:rerun-if-env-changed=PKG_CONFIG cargo:rerun-if-env-changed=OPENSSL_STATIC cargo:rerun-if-env-changed=OPENSSL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR run pkg_config fail: "`\"pkg-config\" \"--libs\" \"--cflags\" \"openssl\"` did not exit successfully: exit code: 1\n--- stderr\nPackage openssl was not found in the pkg-config search path.\nPerhaps you should add the directory containing `openssl.pc\'\nto the PKG_CONFIG_PATH environment variable\nNo package \'openssl\' found\n" --- stderr thread 'main' panicked at ' Could not find directory of OpenSSL installation, and this `-sys` crate cannot proceed without this knowledge. If OpenSSL is installed and this crate had trouble finding it, you can set the `OPENSSL_DIR` environment variable for the compilation process. Make sure you also have the development packages of openssl installed. For example, `libssl-dev` on Ubuntu or `openssl-devel` on Fedora. If you're in a situation where you think the directory *should* be found automatically, please open a bug at https://github.com/sfackler/rust-openssl and include information about your system as well as this message. $HOST = x86_64-unknown-linux-gnu $TARGET = x86_64-unknown-linux-gnu openssl-sys = 0.9.60 ', /home/myusr/.cargo/registry/src/github.com-1ecc6299db9ec823/openssl-sys-0.9.60/build/find_normal.rs:173:5 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace warning: build failed, waiting for other jobs to finish... error: failed to compile `rates v0.2.0`, intermediate artifacts can be found at `/tmp/cargo-installbxN90K` Caused by: build failed

Second, https://github.com/sfackler/rust-openssl/issues/987 was solved over 2 years ago, and the fix was released in openssl v0.10. Since reqwest uses openssl v0.10.x, it definitely includes this fix.