Open sfackler opened 7 years ago
Looks like its probably a dependency doing this (maybe libcurl?). Might be a bit awkward to deal with, but we could maybe snapshot the environment on startup and feed that to subprocesses?
Oh right, it's openssl-probe.
Yeah I'm ~100% sure openssl-probe would be doing this.
I had no idea this could lead to bugs...
@nathanaeljones for background on this there's a very long comment explaining what's going on, but the general gist is that we're shipping a statically linked OpenSSL so it's up to Cargo to find ssl certs for a system (normally this is configured by a distro). In doing so the only way we've found at least so far is to initialize through env vars, which is then causing this to leak into child processes.
Got bit by this in #4002
Instead of overriding the environment, cargo should use X509_STORE_load_locations
instead of X509_STORE_set_default_paths
on every X509 store to set the locations found using openssl-probe.
@jethrogb this is all mediated through curl which AFAIK doesn't expose that.
Sure it does, you just need to set CURLOPT_CAINFO
and CURLOPT_CAPATH
.
PRs are of course always welcome to patch this up! This isn't intentional, it's just a side effect of how things are implemented today.
Those environment variables will still affect anything downstream using curl.
I have not personally confirmed that this is the case, but I'm betting it's the cause of https://github.com/sfackler/rust-openssl/issues/575
cc #2888