-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
”Permission denied“ since v0.7.1 #124
Comments
Can you try with main? It should have a more precise error message. |
I have encountered the same problem. And the issue is gone after switch to git rustls-native-certs = { git = "https://github.com/rustls/rustls-native-certs.git" } I think it is #117 that fixed the issue. |
This is the git
|
Is that unexpected given the permissions involved? Inspect these by running, for example This crate isn't doing much special when it comes to permissions. It needs to enumerate and read the files in this directory. |
Below
|
Yes, in earlier releases we didn't inspect some of the paths that might have additional certificates installed on the user's system. (See the release notes for 0.7.1.) |
I think the bug is here.
|
It can be like this.
|
I think a reasonable expectation from users installing certificates in their filesystem is that those certificates get used, so when, for whatever reason, software is not actually capable of using the installed certificates, raising an error makes sense. But perhaps this is too much of a policy decision that the application-level logic needs to customize, and we should have a different API that both yields an error and also any certificates that have been found? |
another reasonable expectation is |
I think signaling about error conditions that were previously ignored is generally an improvement, and this function was already fallible, so I don't think it's as simple as you make it out to be. |
Yes, I just express my thought. It is your crate, you decide. :) |
Other issues:
@ctz what do you think? We could
(There's a rough analogue here with the |
Another option is to allow edit: in fact, perhaps this is a sufficient workaround for those environments? mkdir /tmp/no-certs-here
export SSL_CERT_DIR=/tmp/no-certs-here
export SSL_CERT_FILE=<...> that leads to reading the certs from
|
I apologize for the incorrect information provided earlier. 🙇🙇🙇 |
My worry is that setting this environment variable is a painful workaround when the user of the software is administratively far removed from the author of the software. For example, in the case of rustup (used by most Rust programmers around the world on whatever development machine) or, I imagine, in the case of rustdesk (where the software gets used by a large population on varied hardware/software environments). I think we should make it easy for authors of software like that to do the right thing (and spit out some logging), which might be to still continue with whatever certificates we did parse (probably typically the ones from |
Fair point. I think that's also an argument that introducing an API change that requests or allows best-effort behaviour has limited benefits? So I think I'm down for (3). Further justification: golang/go@e83bcd9#diff-460ef6ed238924757954b5486f513fdc2f0a3d54c6e9d361e47c867e19f662bfR83-R87 which AFAICT is doing the same logic. An additional detail: perhaps take an optional dep on |
Not sure... when I'm deploying containers at work that use rustls-native-certs (perhaps via rustls-platform-verifier) I'm both the author and the user and I would like to opt in to stricter error handling.
I think we should do tracing instead of log, but yeah, issuing those would make sense to me. |
https://crates.io/crates/rustls-native-certs/0.7.3 published with a fix for this. |
Thanks for your great work. |
I found this when we upgraded seanmonstar/reqwest#2391, one of our users reported this, rustdesk/rustdesk-server-pro#360. It is not easy to reproduce, I can only see this on his machine so far.
The test is
The text was updated successfully, but these errors were encountered: