Pending openssl_probe RUSTSEC advisory

[mmastrac]

As a heads up, there's an advisory in progress for openssl_probe (rustsec/advisory-db#2209). As native-tls is one of the largest consumers, it will likely be necessary to switch to an alternate way of specifying the OpenSSL trust roots to the SSL contexts.

I believe that this can be done using X509_LOOKUP_ctrl which is not currently exposed in the openssl crate, but forms the basis of how the root store can be configured to read from various directories.

https://docs.rs/openssl-sys/latest/openssl_sys/fn.X509_LOOKUP_ctrl.html

http://man.openbsd.org/X509_LOOKUP_new.3#X509_LOOKUP_add_dir

I believe this crate would first need to call the probe methods (which don't change the environment), and then configure each new connector using the https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.cert_store_mut method.

https://github.com/sfackler/rust-native-tls/blob/master/src/imp/openssl.rs#L277

This might be worth punting to https://github.com/sfackler/rust-openssl for some initial work to add the necessary safe APIs, though I don't think it would be required immediately.

[sfackler]

We should just need to expose a variant of https://docs.rs/openssl/latest/openssl/ssl/struct.SslConnectorBuilder.html#method.set_ca_file that also takes the ca dir and feed the discovered locations into that.

[mmastrac]

Thanks for the quick response, @sfackler 🚀