-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace rust-native-certs and webpki-roots with rust-platform-verifier #1340
Comments
Ok, good to know sure it looks neat sure let's move to it but I think we should add something such that folks to inject their own verifier as well such as: enum CertificateStore {
/// (rustls-platform-verifier)
Native,
/// webpki
WebPki
/// Custom cert store
Custom(Arc<dyn rustls::client::danger::ServerCertVerifier>)
} |
Good thought. Definitely some use cases for client certs and the like that I can think of. I'm not sure if webpki is needed or not if platform-verifier will automatically route to it. Are you thinking it's needed for backward compatibility? |
Maybe it's not needed any more but I had in mind that some use-cases may explicitly want to use webpki because it has some benefits compared to native system certs in some scenarios, https://github.com/rustls/rustls-native-certs?tab=readme-ov-file#should-i-use-this-or-webpki-roots. However, as long as we provide the custom verifier it should be possible to enable anyway. |
The current build doesn't support iOS/Android builds if you don't split off to use the webpki-tls on android and ios. While researching this, I came across https://github.com/rustls/rustls-platform-verifier/, which is the rusttls replacement for native-certs that optimizes cert verification for each platform.
I think switching to rust-platform-verifier should give a performance boost, reduce the choice of "Which tls to activate" and support more platforms out of the box.
The text was updated successfully, but these errors were encountered: