From 57a741d84525651c022581dad3b24cfb5b147c9d Mon Sep 17 00:00:00 2001 From: Serhii Bohdanov Date: Tue, 14 Apr 2026 12:14:55 +0300 Subject: [PATCH] tokio-quiche(config): add CA path options for peer verification Add optional settings for CA bundle and CA directory paths in `QuicSettings`, and apply them when building quiche config. This enables configuring custom trust stores for certificate verification without relying on system defaults. --- tokio-quiche/src/settings/config.rs | 8 ++++++++ tokio-quiche/src/settings/quic.rs | 22 ++++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/tokio-quiche/src/settings/config.rs b/tokio-quiche/src/settings/config.rs index b3c1522d6b1..8ffcb6bdfa1 100644 --- a/tokio-quiche/src/settings/config.rs +++ b/tokio-quiche/src/settings/config.rs @@ -184,6 +184,14 @@ fn make_quiche_config( config.verify_peer(quic_settings.verify_peer); } + if let Some(path) = quic_settings.verify_ca_bundle_path.as_deref() { + config.load_verify_locations_from_file(path)?; + } + + if let Some(path) = quic_settings.verify_ca_directory_path.as_deref() { + config.load_verify_locations_from_directory(path)?; + } + config.set_max_connection_window(quic_settings.max_connection_window); config.set_max_stream_window(quic_settings.max_stream_window); config.set_enable_send_streams_blocked( diff --git a/tokio-quiche/src/settings/quic.rs b/tokio-quiche/src/settings/quic.rs index af1378f2ef0..ced419c94fa 100644 --- a/tokio-quiche/src/settings/quic.rs +++ b/tokio-quiche/src/settings/quic.rs @@ -246,6 +246,28 @@ pub struct QuicSettings { /// [`verify_peer()`]: https://docs.rs/quiche/latest/quiche/struct.Config.html#method.verify_peer pub verify_peer: bool, + /// Specifies a file where trusted CA certificates are stored for the + /// purposes of certificate verification. + /// + /// The content of `file` is parsed as a PEM-encoded certificate chain. + /// + /// Defaults to `None`. + /// [`load_verify_locations_from_file()`] for more. + /// + /// [`load_verify_locations_from_file()`]: https://docs.rs/quiche/latest/quiche/struct.Config.html#method.load_verify_locations_from_file + pub verify_ca_bundle_path: Option, + + /// Specifies a directory where trusted CA certificates are stored for the + /// purposes of certificate verification. + /// + /// The content of `dir` a set of PEM-encoded certificate chains. + /// + /// Defaults to `None`. + /// [`load_verify_locations_from_directory()`] for more. + /// + /// [`load_verify_locations_from_directory()`]: https://docs.rs/quiche/latest/quiche/struct.Config.html#method.load_verify_locations_from_directory + pub verify_ca_directory_path: Option, + /// The maximum size of the receiver connection flow control window. /// /// Defaults to 24MB.