-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Linux: System CA bundle watcher #60
Comments
This seems like a reasonable ask. The parts of Do you think an opt-in feature flag to bring in |
Maybe just polling every 5 minutes or so would be good enough? |
I looked into I think putting it behind a feature flag would be nice.
I don't know, but I think a (platform-specific ?) method to update the files would already go some length to alleviate the issue. |
We already have platform-specific APIs for UNIX, so this wouldn't be a stretch. We could provide an API to
The part I haven't figured out yet is how we change out the certificates after the verifier has been built. The verifier itself needs to be inside an |
Use an |
There's also |
Currently there is no way to reload the system CA bundle on Linux. This is different to other platforms, which use a system API and can therefor detect certificate changes dynamically.
The main motivation here, aside from platform parity, is to not having to restart applications or require more complicated setups to account for this issue. E.g. this was a problem in hickory-dns/hickory-dns#2038.
Is it an option to implement a directory/file watcher to account for that on Linux? As this isn't really supported in
rustls-native-certs
, it would require usingopenssl-probe
directly to get the paths instead of only getting the certificates.The text was updated successfully, but these errors were encountered: