Supporting SSL_CERT_DIR and SSL_CERT_FILE
Description of the feature:
I want to propose implementing a feature that enables a user to choose a trust store at run-time. This feature would work exactly as it works in OpenSSL: https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_default_verify_paths.html
SSL_CTX_set_default_verify_paths() specifies that the default locations from which CA certificates are loaded should be used. There is one default directory, one default file and one default store. The default CA certificates directory is called certs in the default OpenSSL directory, and this is also the default store. Alternatively the SSL_CERT_DIR environment variable can be defined to override this location. The default CA certificates file is called cert.pem in the default OpenSSL directory. Alternatively the SSL_CERT_FILE environment variable can be defined to override this location.
This manual page describes being able to overwrite the default CA certificates by specifying alternatives using either SSL_CERT_DIR
or SSL_CERT_FILE
.
Applications that this feature may be relevant to:
See a related discussion here: https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html
Is this feature implemented in other libraries (and which)
Yes, in OpenSSL. See: https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_default_verify_paths.html
Guidance
If the feature request seems fine, but nobody can work on it, I would like to give it a try. If there are any perspectives that come to mind that I have to take into account while implementing this feature, please write them here. :)
Thank you!