Replace rust-native-certs and webpki-roots with rust-platform-verifier #1340
Comments
|
Ok, good to know sure it looks neat sure let's move to it but I think we should add something such that folks to inject their own verifier as well such as: enum CertificateStore {
/// (rustls-platform-verifier)
Native,
/// webpki
WebPki
/// Custom cert store
Custom(Arc<dyn rustls::client::danger::ServerCertVerifier>)
} |
|
Good thought. Definitely some use cases for client certs and the like that I can think of. I'm not sure if webpki is needed or not if platform-verifier will automatically route to it. Are you thinking it's needed for backward compatibility? |
Maybe it's not needed any more but I had in mind that some use-cases may explicitly want to use webpki because it has some benefits compared to native system certs in some scenarios, https://github.com/rustls/rustls-native-certs?tab=readme-ov-file#should-i-use-this-or-webpki-roots. However, as long as we provide the custom verifier it should be possible to enable anyway. |
The current build doesn't support iOS/Android builds if you don't split off to use the webpki-tls on android and ios. While researching this, I came across https://github.com/rustls/rustls-platform-verifier/, which is the rusttls replacement for native-certs that optimizes cert verification for each platform.
I think switching to rust-platform-verifier should give a performance boost, reduce the choice of "Which tls to activate" and support more platforms out of the box.
The text was updated successfully, but these errors were encountered: