What is the problem your feature solves, or the need it fulfills?
The rustls connector does not honor per-peer CA configuration. peer.get_ca() is exposed on TlsPeer, but the rustls backend always uses the connector-level CA store for certificate verification, leading to failures (e.g. UnknownIssuer) when upstreams rely on custom CAs
The OpenSSL backend already supports this.
Describe the solution you'd like
Wire peer.get_ca() into the rustls connector. When a peer provides a CA, use it to build the RootCertStore for server certificate verification; otherwise keep the current behavior unchanged.
Describe alternatives you've considered
Using the OpenSSL/BoringSSL backend.
Additional context
The rustls connector source contains a TODO to set up CA / verification state from the peer. Happy to submit a PR once the approach is confirmed.
|
// TODO: setup CA/verify cert store from peer |
|
// peer.get_ca() returns None by default. It must be replaced by the |
|
// implementation of `peer` |
What is the problem your feature solves, or the need it fulfills?
The rustls connector does not honor per-peer CA configuration.
peer.get_ca()is exposed onTlsPeer, but the rustls backend always uses the connector-level CA store for certificate verification, leading to failures (e.g. UnknownIssuer) when upstreams rely on custom CAsThe OpenSSL backend already supports this.
Describe the solution you'd like
Wire
peer.get_ca()into the rustls connector. When a peer provides a CA, use it to build theRootCertStorefor server certificate verification; otherwise keep the current behavior unchanged.Describe alternatives you've considered
Using the OpenSSL/BoringSSL backend.
Additional context
The rustls connector source contains a TODO to set up CA / verification state from the peer. Happy to submit a PR once the approach is confirmed.
pingora/pingora-core/src/connectors/tls/rustls/mod.rs
Lines 132 to 134 in 5c4bd0b