Merge pull request #324 from sfackler/fix-root-config

Cache openssl cert lookup and don't bail on error

Author: sfackler

.github/workflows/ci.yml

@@ -20,7 +20,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: sfackler/actions/rustup@master
       - uses: sfackler/actions/rustfmt@master
-  
+
   windows:
     strategy:
       fail-fast: false
@@ -35,7 +35,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: sfackler/actions/rustup@master
         with:
-          version: 1.65.0
+          version: 1.80.0
       - run: echo "::set-output name=version::$(rustc --version)"
         id: rust-version
       - uses: actions/cache@v1

Cargo.toml

@@ -6,7 +6,7 @@ license = "MIT OR Apache-2.0"
 description = "A wrapper over a platform's native TLS implementation"
 repository = "https://github.com/sfackler/rust-native-tls"
 readme = "README.md"
-rust-version = "1.53.0"
+rust-version = "1.80.0"
 
 [package.metadata.docs.rs]
 features = ["alpn"]

build.rs

@@ -17,4 +17,6 @@ fn main() {
             println!("cargo:rustc-cfg=have_min_max_version");
         }
     }
+
+    println!("cargo::rustc-check-cfg=cfg(have_min_max_version)")
 }

src/imp/openssl.rs

@@ -11,12 +11,16 @@ use self::openssl::ssl::{
     SslVerifyMode,
 };
 use self::openssl::x509::{store::X509StoreBuilder, X509VerifyResult, X509};
+use self::openssl_probe::ProbeResult;
 use std::error;
 use std::fmt;
 use std::io;
+use std::sync::LazyLock;
 
 use {Protocol, TlsAcceptorBuilder, TlsConnectorBuilder};
 
+static PROBE_RESULT: LazyLock<ProbeResult> = LazyLock::new(openssl_probe::probe);
+
 #[cfg(have_min_max_version)]
 fn supported_protocols(
     min: Option<Protocol>,
@@ -268,8 +272,17 @@ impl TlsConnector {
     pub fn new(builder: &TlsConnectorBuilder) -> Result<TlsConnector, Error> {
         let mut connector = SslConnector::builder(SslMethod::tls())?;
 
-        let probe = openssl_probe::probe();
-        connector.load_verify_locations(probe.cert_file.as_deref(), probe.cert_dir.as_deref())?;
+        // We need to load these separately so an error on one doesn't prevent the other from loading.
+        if let Some(cert_file) = &PROBE_RESULT.cert_file {
+            if let Err(e) = connector.load_verify_locations(Some(cert_file), None) {
+                debug!("load_verify_locations cert file error: {:?}", e);
+            }
+        }
+        if let Some(cert_dir) = &PROBE_RESULT.cert_dir {
+            if let Err(e) = connector.load_verify_locations(None, Some(cert_dir)) {
+                debug!("load_verify_locations cert dir error: {:?}", e);
+            }
+        }
 
         if let Some(ref identity) = builder.identity {
             connector.set_certificate(&identity.0.cert)?;