Closed cpu closed 2 months ago
I looked into this and there was a simple explanation (as is usually the case :laughing:). When the pkg-config build configuration was broken in such a way that it failed to populate the default CA path the rustls.c cr_init_backend()
code in curl would find verifypeer
was true, but ca_info_blob
and ssl_cafile
were falsey. This state would skip over the construction and configuration of the builder with a root cert store and verifier.
This means when the connection is later built with rustls_client_config_builder_build()
it uses the default verifier from rustls-ffi, NoneVerifier
. The NoneVerifier
's verify_server_cert
fn is hardcoded to return:
Err(rustls::Error::InvalidCertificate(
CertificateError::BadSignature,
))
I think in this case it I think it would be slightly clearer if it returned CertificateError::UnknownIssuer
so I opened a PR to make that change: https://github.com/rustls/rustls-ffi/pull/421
In a downstream application (https://github.com/curl/curl/issues/13248) that wasn't configured with CA certificates connecting to
https://example.com
provokes an oddBadSignature
error when I would expect something indicating an unknown issuer.Filing this as a reminder to look into what's going on here.