├── .github └── workflows │ └── main.yml ├── .gitignore ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md ├── examples └── probe.rs └── src └── lib.rs /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | on: 3 | pull_request: 4 | 5 | defaults: 6 | run: 7 | shell: bash 8 | 9 | jobs: 10 | test: 11 | name: Test 12 | runs-on: ${{ matrix.os }} 13 | strategy: 14 | matrix: 15 | include: 16 | - os: ubuntu-latest 17 | - os: macos-latest 18 | - os: windows-latest 19 | steps: 20 | - uses: actions/checkout@v4 21 | with: 22 | submodules: true 23 | - run: cargo test 24 | 25 | msrv: 26 | name: MSRV 27 | runs-on: ubuntu-latest 28 | steps: 29 | - uses: actions/checkout@v4 30 | with: 31 | submodules: true 32 | - run: rustup update 1.60.0 && rustup default 1.60.0 33 | - run: cargo test 34 | 35 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | target 2 | Cargo.lock 3 | -------------------------------------------------------------------------------- /Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "openssl-probe" 3 | version = "0.1.6" 4 | authors = ["Alex Crichton "] 5 | license = "MIT/Apache-2.0" 6 | repository = "https://github.com/alexcrichton/openssl-probe" 7 | homepage = "https://github.com/alexcrichton/openssl-probe" 8 | description = """ 9 | Tool for helping to find SSL certificate locations on the system for OpenSSL 10 | """ 11 | readme = "README.md" 12 | edition = '2021' 13 | 14 | # This was arbitrarily chosen on 2025-01-23 as "pretty old" as previously 15 | # key didn't exist in `Cargo.toml` prior to that. 16 | rust-version = '1.60.0' 17 | -------------------------------------------------------------------------------- /LICENSE-APACHE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /LICENSE-MIT: -------------------------------------------------------------------------------- 1 | Copyright (c) 2014 Alex Crichton 2 | 3 | Permission is hereby granted, free of charge, to any 4 | person obtaining a copy of this software and associated 5 | documentation files (the "Software"), to deal in the 6 | Software without restriction, including without 7 | limitation the rights to use, copy, modify, merge, 8 | publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software 10 | is furnished to do so, subject to the following 11 | conditions: 12 | 13 | The above copyright notice and this permission notice 14 | shall be included in all copies or substantial portions 15 | of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF 18 | ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED 19 | TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 20 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 21 | SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 22 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 23 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR 24 | IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 25 | DEALINGS IN THE SOFTWARE. 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # openssl-probe 2 | 3 | Tool for helping to find SSL certificate locations on the system for OpenSSL 4 | 5 | [![Crates.io](https://img.shields.io/crates/v/openssl-probe.svg?maxAge=2592000)](https://crates.io/crates/openssl-probe) 6 | [![docs.rs](https://docs.rs/openssl-probe/badge.svg)](https://docs.rs/openssl-probe/) 7 | 8 | ## Usage 9 | 10 | First, add this to your `Cargo.toml`: 11 | 12 | ```toml 13 | [dependencies] 14 | openssl-probe = "0.1.6" 15 | ``` 16 | 17 | Then add this to your crate: 18 | 19 | ```rust 20 | fn main() { 21 | let result = openssl_probe::probe(); 22 | if let Some(dir) = &result.cert_dir { 23 | //... your code 24 | } 25 | if let Some(file) = &result.cert_file { 26 | //... your code 27 | } 28 | } 29 | ``` 30 | 31 | ## License 32 | 33 | `openssl-probe` is primarily distributed under the terms of both the MIT license and the Apache License (Version 2.0), 34 | with portions covered by various BSD-like licenses. 35 | 36 | See [LICENSE-APACHE](./LICENSE-APACHE), and [LICENSE-MIT](LICENSE-MIT) for details. 37 | -------------------------------------------------------------------------------- /examples/probe.rs: -------------------------------------------------------------------------------- 1 | fn main() { 2 | let r = openssl_probe::probe(); 3 | 4 | println!("cert_dir: {:?}", r.cert_dir); 5 | println!("cert_file: {:?}", r.cert_file); 6 | } 7 | -------------------------------------------------------------------------------- /src/lib.rs: -------------------------------------------------------------------------------- 1 | use std::env; 2 | use std::path::{Path, PathBuf}; 3 | 4 | /// The OpenSSL environment variable to configure what certificate file to use. 5 | pub const ENV_CERT_FILE: &'static str = "SSL_CERT_FILE"; 6 | 7 | /// The OpenSSL environment variable to configure what certificates directory to use. 8 | pub const ENV_CERT_DIR: &'static str = "SSL_CERT_DIR"; 9 | 10 | pub struct ProbeResult { 11 | pub cert_file: Option, 12 | pub cert_dir: Option, 13 | } 14 | 15 | /// Probe the system for the directory in which CA certificates should likely be 16 | /// found. 17 | /// 18 | /// This will only search known system locations. 19 | #[doc(hidden)] 20 | #[deprecated(note = "use `candidate_cert_dirs` instead")] 21 | pub fn find_certs_dirs() -> Vec { 22 | candidate_cert_dirs().map(Path::to_path_buf).collect() 23 | } 24 | 25 | /// Probe the system for the directory in which CA certificates should likely be 26 | /// found. 27 | /// 28 | /// This will only search known system locations. 29 | pub fn candidate_cert_dirs() -> impl Iterator { 30 | // see http://gagravarr.org/writing/openssl-certs/others.shtml 31 | [ 32 | "/var/ssl", 33 | "/usr/share/ssl", 34 | "/usr/local/ssl", 35 | "/usr/local/openssl", 36 | "/usr/local/etc/openssl", 37 | "/usr/local/share", 38 | "/usr/lib/ssl", 39 | "/usr/ssl", 40 | "/etc/openssl", 41 | "/etc/pki/ca-trust/extracted/pem", 42 | "/etc/pki/tls", 43 | "/etc/ssl", 44 | "/etc/certs", 45 | "/opt/etc/ssl", // Entware 46 | #[cfg(target_os = "android")] 47 | "/data/data/com.termux/files/usr/etc/tls", 48 | #[cfg(target_os = "haiku")] 49 | "/boot/system/data/ssl", 50 | ] 51 | .iter() 52 | .map(Path::new) 53 | .filter(|p| p.exists()) 54 | } 55 | 56 | /// Deprecated as this isn't sound, use [`init_openssl_env_vars`] instead. 57 | #[doc(hidden)] 58 | #[deprecated(note = "this function is not safe, use `init_openssl_env_vars` instead")] 59 | pub fn init_ssl_cert_env_vars() { 60 | unsafe { 61 | init_openssl_env_vars(); 62 | } 63 | } 64 | 65 | /// Probe for SSL certificates on the system, then configure the SSL certificate `SSL_CERT_FILE` 66 | /// and `SSL_CERT_DIR` environment variables in this process for OpenSSL to use. 67 | /// 68 | /// Preconfigured values in the environment variables will not be overwritten if the paths they 69 | /// point to exist and are accessible. 70 | /// 71 | /// # Safety 72 | /// 73 | /// This function is not safe because it mutates the process's environment 74 | /// variables which is generally not safe. See the [documentation in libstd][doc] 75 | /// for information about why setting environment variables is not safe. 76 | /// 77 | /// If possible use the [`probe`] function and directly configure OpenSSL 78 | /// methods instead of relying on environment variables. 79 | /// 80 | /// [doc]: https://doc.rust-lang.org/stable/std/env/fn.set_var.html#safety 81 | pub unsafe fn init_openssl_env_vars() { 82 | try_init_openssl_env_vars(); 83 | } 84 | 85 | /// Deprecated as this isn't sound, use [`try_init_openssl_env_vars`] instead. 86 | #[doc(hidden)] 87 | #[deprecated(note = "use try_init_openssl_env_vars instead, this function is not safe")] 88 | pub fn try_init_ssl_cert_env_vars() -> bool { 89 | unsafe { try_init_openssl_env_vars() } 90 | } 91 | 92 | /// Probe for SSL certificates on the system, then configure the SSL certificate `SSL_CERT_FILE` 93 | /// and `SSL_CERT_DIR` environment variables in this process for OpenSSL to use. 94 | /// 95 | /// Preconfigured values in the environment variables will not be overwritten if the paths they 96 | /// point to exist and are accessible. 97 | /// 98 | /// Returns `true` if any certificate file or directory was found while probing. 99 | /// Combine this with `has_ssl_cert_env_vars()` to check whether previously configured environment 100 | /// variables are valid. 101 | /// 102 | /// # Safety 103 | /// 104 | /// This function is not safe because it mutates the process's environment 105 | /// variables which is generally not safe. See the [documentation in libstd][doc] 106 | /// for information about why setting environment variables is not safe. 107 | /// 108 | /// If possible use the [`probe`] function and directly configure OpenSSL 109 | /// methods instead of relying on environment variables. 110 | /// 111 | /// [doc]: https://doc.rust-lang.org/stable/std/env/fn.set_var.html#safety 112 | pub unsafe fn try_init_openssl_env_vars() -> bool { 113 | let ProbeResult { 114 | cert_file, 115 | cert_dir, 116 | } = probe(); 117 | // we won't be overwriting existing env variables because if they're valid probe() will have 118 | // returned them unchanged 119 | if let Some(path) = &cert_file { 120 | unsafe { 121 | put(ENV_CERT_FILE, path); 122 | } 123 | } 124 | if let Some(path) = &cert_dir { 125 | unsafe { 126 | put(ENV_CERT_DIR, path); 127 | } 128 | } 129 | 130 | unsafe fn put(var: &str, path: &Path) { 131 | // Avoid calling `setenv` if the variable already has the same contents. This avoids a 132 | // crash when called from out of perl <5.38 (Debian Bookworm is at 5.36), as old versions 133 | // of perl tend to manipulate the `environ` pointer directly. 134 | if env::var_os(var).as_deref() != Some(path.as_os_str()) { 135 | unsafe { 136 | env::set_var(var, path); 137 | } 138 | } 139 | } 140 | 141 | cert_file.is_some() || cert_dir.is_some() 142 | } 143 | 144 | /// Check whether the OpenSSL `SSL_CERT_FILE` and/or `SSL_CERT_DIR` environment variable is 145 | /// configured in this process with an existing file or directory. 146 | /// 147 | /// That being the case would indicate that certificates will be found successfully by OpenSSL. 148 | /// 149 | /// Returns `true` if either variable is set to an existing file or directory. 150 | pub fn has_ssl_cert_env_vars() -> bool { 151 | let probe = probe_from_env(); 152 | probe.cert_file.is_some() || probe.cert_dir.is_some() 153 | } 154 | 155 | fn probe_from_env() -> ProbeResult { 156 | let var = |name| env::var_os(name).map(PathBuf::from).filter(|p| p.exists()); 157 | ProbeResult { 158 | cert_file: var(ENV_CERT_FILE), 159 | cert_dir: var(ENV_CERT_DIR), 160 | } 161 | } 162 | 163 | /// Probe the current system for the "cert file" and "cert dir" variables that 164 | /// OpenSSL typically requires. 165 | /// 166 | /// The probe result is returned as a [`ProbeResult`] structure here. 167 | pub fn probe() -> ProbeResult { 168 | let mut result = probe_from_env(); 169 | for certs_dir in candidate_cert_dirs() { 170 | // cert.pem looks to be an openssl 1.0.1 thing, while 171 | // certs/ca-certificates.crt appears to be a 0.9.8 thing 172 | let cert_filenames = [ 173 | "cert.pem", 174 | "certs.pem", 175 | "ca-bundle.pem", 176 | "cacert.pem", 177 | "ca-certificates.crt", 178 | "certs/ca-certificates.crt", 179 | "certs/ca-root-nss.crt", 180 | "certs/ca-bundle.crt", 181 | "CARootCertificates.pem", 182 | "tls-ca-bundle.pem", 183 | ]; 184 | if result.cert_file.is_none() { 185 | result.cert_file = cert_filenames 186 | .iter() 187 | .map(|fname| certs_dir.join(fname)) 188 | .find(|p| p.exists()); 189 | } 190 | if result.cert_dir.is_none() { 191 | let cert_dir = certs_dir.join("certs"); 192 | if cert_dir.exists() { 193 | result.cert_dir = Some(cert_dir); 194 | } 195 | } 196 | if result.cert_file.is_some() && result.cert_dir.is_some() { 197 | break; 198 | } 199 | } 200 | result 201 | } 202 | --------------------------------------------------------------------------------