-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for server certificate validation #13
Comments
* Add support for validating server certificates and signatures * Add 'alloc' feature to support RSA-based certificate validation * Support elliptic curve-based certificates without alloc * Add configuration options for enabling/disabling cert and hostname validation * Add TlsClock trait that if enabled will ensure cert validation check Fixes #13
* Add support for validating server certificates and signatures * Add 'alloc' feature to support RSA-based certificate validation * Support elliptic curve-based certificates without alloc * Add configuration options for enabling/disabling cert and hostname validation * Add TlsClock trait that if enabled will ensure cert validation check Fixes #13
Status update on this feature: At present, the webpki crate is a compile time option for enabling certificate validation. However,
Therefore, I think it is useful to take a look at alternatives. IMO the minimal feature set drogue-tls should support are:
In the first instance I think supporting the elliptic curve signature algorithms should be
RSA would be nice, but I don't know of any crates being able to do RSA without allocator. There are several crates not requiring any allocators that could be used for this task (most developed under RustCrypto: |
Hey @lulf , I wonder what is the status of this feature? Is embedded-tls client support server certificate validation if the server provides a self-signed certificate? |
It's the same as the last status I'm afraid. Whether the server certificate is self-signed or not doesn't matter, the only difference would be that you'd have to use your own CA as the trust root. |
I feel like we should extract the webpki verifier to its own crate. rust-analyzer doesn't like that it's gated behind a feature (won't really work with the webpki.rs file), and we might want to encourage developing additional verifier backends if there is a standalone example of how to do it. rustls has forked webpki. Since they also build on ring, I don't expect this fork would be any more useful for us, but it's something worth knowing about, and might be a good idea to support, too. |
I think we should just kill the webpki verifier, I don't think it's useful the way it is, and would rather see one that uses rust-only crates. |
A rust-only solution is a good idea, but killing webpki is harsh IMO. I'm considering using it myself in one form or another, though I haven't started yet. |
Add support for supplying a CA trust in the TlsConfig and use this to validate the Certificate presented by the server.
The text was updated successfully, but these errors were encountered: