Closed DragonOsman closed 2 years ago
Unfortunately, I have not yet located a viable alternative to certify
. That is the sole reason why malloy still ships with it.
I do have to say that certify
worked reasonably well so far. Despite the obligatory warnings in the readme, malloy is used in production by several projects (both server and client components). So far, I have not heard any stories about issues surrounding certify
.
If you have a better option/proposal to replace certify
, I'd be very happy to discuss those.
About a year ago, I did invest some time looking into this with the intention of creating our own library for this task but it basically boiled down to re-writing certify
which seemed to make little sense back then.
A very low-priority task in the pipeline is to expose the necessary interfaces as native malloy API so users can put their own cert store loading code in there (potentially with certify
as a default).
So you can still use Certify well even in asynchronous code? If so, maybe I really shouldn't worry and just use it for now.
I've been having trouble with finding out how to pull the root certs using the Linux Crypto API. But I guess if it's Certify is still a good option, I'll just go with that.
It certainly works. If I recall correctly, the main issue is lack of asynchronous APIs on the OpenSSL side which is not something that certify
can change anyway. AFAIK all OCSP verifications are fully blocking.
Closing this. Feel free to re-open if you think that is necessary.
I read that the author of the Certify library isn't taking care of it anymore because of complications that arise in asynchronous code. So I wanted to ask this here: did you manage to find a good alternative way to get certs from the root cert store under that kind of situation? I'm asking because I also need a good cross-platform way to do this. Right now my code relies on wincrypt and I'd like to make it portable because I want to work on Linux as well. Here's my current code for this, for reference.