Search only canonical paths on FreeBSD

michael-o · michael-o · commit 0ca36272b943 · 2025-10-30T21:45:57.000+01:00
FreeBSD contains a canonical certstore managed by certctl(8) located in the base system (/etc/ssl), search there first. Alternatively, a user can populate a custom store in distbase (/usr/local/etc/ssl) with certctl(8) which shall be queried if the former does not exist. At last, there is a store for OpenSSL from the ports (/usr/local/openssl) outside of certctl(8)'s reach. This fixes #20 and fixes #37
diff --git a/src/lib.rs b/src/lib.rs
@@ -26,6 +26,7 @@ pub fn find_certs_dirs() -> Vec<PathBuf> {
 /// found.
 ///
 /// This will only search known system locations.
+#[cfg(not(target_os = "freebsd"))]
 pub fn candidate_cert_dirs() -> impl Iterator<Item = &'static Path> {
     // see http://gagravarr.org/writing/openssl-certs/others.shtml
     [
@@ -52,6 +53,19 @@ pub fn candidate_cert_dirs() -> impl Iterator<Item = &'static Path> {
     .map(Path::new)
     .filter(|p| p.exists())
 }
+#[cfg(target_os = "freebsd")]
+pub fn candidate_cert_dirs() -> impl Iterator<Item = &'static Path> {
+    // see manpage of certctl(8): https://man.freebsd.org/cgi/man.cgi?query=certctl&sektion=8
+    // see security/openssl* ports
+    [
+        "/etc/ssl",
+        "/usr/local/etc/ssl",
+        "/usr/local/openssl",
+    ]
+    .iter()
+    .map(Path::new)
+    .filter(|p| p.exists())
+}
 
 /// Deprecated as this isn't sound, use [`init_openssl_env_vars`] instead.
 #[doc(hidden)]
@@ -169,6 +183,7 @@ pub fn probe() -> ProbeResult {
     for certs_dir in candidate_cert_dirs() {
         // cert.pem looks to be an openssl 1.0.1 thing, while
         // certs/ca-certificates.crt appears to be a 0.9.8 thing
+        #[cfg(not(target_os = "freebsd"))]
         let cert_filenames = [
             "cert.pem",
             "certs.pem",
@@ -181,6 +196,11 @@ pub fn probe() -> ProbeResult {
             "CARootCertificates.pem",
             "tls-ca-bundle.pem",
         ];
+        #[cfg(target_os = "freebsd")]
+        let cert_filenames = [
+            "cert.pem",
+            "ca-root-nss.crt",
+        ];
         if result.cert_file.is_none() {
             result.cert_file = cert_filenames
                 .iter()
