Skip to content

Support full certificate chain loading from CA bundles (#279) #282

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
octoaide wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Support full certificate chain loading from CA bundles (#279) #282

octoaide wants to merge 1 commit into from
+118 −2

Conversation

@octoaide
Copy link
Contributor

@octoaide octoaide bot commented Jan 20, 2026

Closes #279

Summary

This PR updates the CA-loading logic so that to_ca_certs() parses and loads all PEM certificates found in a provided CA bundle file instead of stopping after the first PEM block. Many users supply CA bundles containing multiple certificates (root + intermediates or multiple roots for different services), and only loading the first certificate caused TLS verification failures for servers relying on subsequent certificates in the bundle.

What changed

  • Updated src/client.rs to iterate through all certificates returned from the PEM parser and add each one to the root store (previously only the first cert was added).
  • Added tests and a sample CA bundle (tests/ca_cert_bundle.pem) to cover single-file single-cert, single-file multi-cert, multiple files, and empty-input cases.
  • Updated CHANGELOG.md with an Unreleased entry documenting the bug fix.

Why

Loading the full certificate chain from CA bundles ensures proper trust chain verification when intermediate or multiple CA certificates are present in the same file. This preserves backward compatibility for single-certificate files while fixing failures caused by incomplete CA loading.

Files changed (high level)

  • Modified: src/client.rs (iterate and add all parsed certs)
  • Added: tests/ca_cert_bundle.pem (test bundle with multiple certs)
  • Modified: CHANGELOG.md (document fix)

Testing

  • Added and ran unit tests covering multiple scenarios. All tests pass locally (e.g., cargo test --all-features).

References

This change uses the auto-closing keyword above to close the referenced issue when merged.

@octoaide
Update files via octoaide
2c5651b 
 2 files changed, 84 insertions(+), 2 deletions(-)

Automated changes made by octoaide bot.
@octoaide octoaide bot requested a review from JonghoKim-jj January 20, 2026 02:32
@codecov
Copy link

codecov bot commented Jan 20, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 7.93%. Comparing base (4e1dd53) to head (2c5651b).

Additional details and impacted files 
@@            Coverage Diff            @@
##             main    #282      +/-   ##
=========================================
- Coverage   10.19%   7.93%   -2.26%     
=========================================
  Files           8       7       -1     
  Lines         628     529      -99     
=========================================
- Hits           64      42      -22     
+ Misses        564     487      -77

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@JonghoKim-jj
Copy link
Contributor

JonghoKim-jj commented Jan 21, 2026

I'll review this PR after #274 is merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JonghoKim-jj JonghoKim-jj Awaiting requested review from JonghoKim-jj

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support full certificate chain loading from CA bundles

2 participants

@JonghoKim-jj