Skip to content

Code Review Bench PR #64970 - Ensure SSL_CERT_DIR messages are always shown and check for existing value #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ketkarameya wants to merge 6 commits into
base: base_pr_64970_20260125_1452
Choose a base branch
from
Open

Code Review Bench PR #64970 - Ensure SSL_CERT_DIR messages are always shown and check for existing value #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
fade7c7
Improve the SSL_CERT_DIR messaging on Unix systems.
danegsta Jan 7, 2026
60be2ab
Use critical for log level filter
danegsta Jan 7, 2026
9fd206b
Update src/Shared/CertificateGeneration/UnixCertificateManager.cs
danegsta Jan 7, 2026
35584d7
Update src/Shared/CertificateGeneration/CertificateManager.cs
danegsta Jan 7, 2026
c8ce09d
Treat invalid SSL_CERT_DIR as a partial success during trust
danegsta Jan 8, 2026
07d6e09
update pr
tomerqodo Jan 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 9 additions & 4 deletions src/Shared/CertificateGeneration/CertificateManager.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -966,9 +966,6 @@ internal static bool TryFindCertificateInStore(X509Store store, X509Certificate2
return foundCertificate is not null;
}

/// <remarks>
/// Note that dotnet-dev-certs won't display any of these, regardless of level, unless --verbose is passed.
/// </remarks>
[EventSource(Name = "Dotnet-dev-certs")]
public sealed class CertificateManagerEventSource : EventSource
{
Expand Down Expand Up @@ -1303,7 +1300,7 @@ public sealed class CertificateManagerEventSource : EventSource
internal void UnixNotOverwritingCertificate(string certPath) => WriteEvent(109, certPath);

[Event(110, Level = EventLevel.LogAlways, Message = "For OpenSSL trust to take effect, '{0}' must be listed in the {2} environment variable. " +
"For example, `export SSL_CERT_DIR={0}:{1}`. " +
"For example, `export {2}=\"{0}:{1}\"`. " +
"See https://aka.ms/dev-certs-trust for more information.")]
internal void UnixSuggestSettingEnvironmentVariable(string certDir, string openSslDir, string envVarName) => WriteEvent(110, certDir, openSslDir, envVarName);

Expand All @@ -1313,6 +1310,14 @@ public sealed class CertificateManagerEventSource : EventSource

[Event(112, Level = EventLevel.Warning, Message = "Directory '{0}' may be readable by other users.")]
internal void DirectoryPermissionsNotSecure(string directoryPath) => WriteEvent(112, directoryPath);

[Event(113, Level = EventLevel.Verbose, Message = "The certificate directory '{0}' is already included in the {1} environment variable.")]
internal void UnixOpenSslCertificateDirectoryAlreadyConfigured(string certDir, string envVarName) => WriteEvent(113, certDir, envVarName);

[Event(114, Level = EventLevel.LogAlways, Message = "For OpenSSL trust to take effect, '{0}' must be listed in the {1} environment variable. " +
"For example, `export {1}=\"{0}:${1}\"`. " +
"See https://aka.ms/dev-certs-trust for more information.")]
internal void UnixSuggestAppendingToEnvironmentVariable(string certDir, string envVarName) => WriteEvent(114, certDir, envVarName);
}

internal sealed class UserCancelledTrustException : Exception
Expand Down
60 changes: 56 additions & 4 deletions src/Shared/CertificateGeneration/UnixCertificateManager.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -355,14 +355,57 @@ protected override TrustLevel TrustCertificateCore(X509Certificate2 certificate)
? Path.Combine("$HOME", certDir[homeDirectoryWithSlash.Length..])
: certDir;

if (TryGetOpenSslDirectory(out var openSslDir))
var hasValidSslCertDir = false;

// Check if SSL_CERT_DIR is already set and if certDir is already included
var existingSslCertDir = Environment.GetEnvironmentVariable(OpenSslCertificateDirectoryVariableName);
if (!string.IsNullOrEmpty(existingSslCertDir))
{
var existingDirs = existingSslCertDir.Split(Path.PathSeparator);
var certDirFullPath = Path.GetFullPath(prettyCertDir);
Copy link

@gitar-bot-staging gitar-bot-staging bot Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 Bug: Path.GetFullPath(prettyCertDir) breaks when path contains literal $HOME

When certDir starts with the home directory, prettyCertDir is set to a display-friendly string like $HOME/.aspnet/dev-certs/trust (line 354-356). Then on line 365, Path.GetFullPath(prettyCertDir) is called on this value.

Path.GetFullPath does NOT expand shell variables — $HOME is treated as a literal directory name. On Unix, this resolves to something like /current/working/dir/$HOME/.aspnet/dev-certs/trust, which will never match any real path in SSL_CERT_DIR.

This means the certificate directory inclusion check will always fail for users whose cert dir is under their home directory (the common case), causing spurious "suggest appending" messages even when SSL_CERT_DIR is already correctly configured.

Fix: Use certDir (the actual filesystem path) instead of prettyCertDir for the Path.GetFullPath call:

var certDirFullPath = Path.GetFullPath(certDir);

prettyCertDir should only be used for display/logging purposes, not for path resolution.

Was this helpful? React with 👍 / 👎

Suggested change
var certDirFullPath = Path.GetFullPath(prettyCertDir);
var certDirFullPath = Path.GetFullPath(certDir);
  • Apply suggested fix

var isCertDirIncluded = existingDirs.Any(dir =>
{
if (string.IsNullOrWhiteSpace(dir))
{
return false;
}

try
{
return string.Equals(Path.GetFullPath(dir), certDirFullPath, StringComparison.OrdinalIgnoreCase);
Copy link

@gitar-bot-staging gitar-bot-staging bot Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Bug: Case-insensitive path comparison is incorrect on Unix filesystems

On line 375, path comparison uses StringComparison.OrdinalIgnoreCase:

return string.Equals(Path.GetFullPath(dir), certDirFullPath, StringComparison.OrdinalIgnoreCase);

Unix filesystems (ext4, XFS, btrfs, etc.) are case-sensitive by default. /home/User/certs and /home/user/certs are different directories on Unix. Using case-insensitive comparison can produce false positives — the code would incorrectly conclude that the cert directory is already in SSL_CERT_DIR when it actually isn't (just a different path with different casing).

Since this code is in UnixCertificateManager (Unix-only), the comparison should use StringComparison.Ordinal to match the filesystem's case sensitivity. The original code was correct in this regard.

The PR context mentions that "file systems can have paths with different case representations" but on Unix this would mean they're genuinely different paths. Only macOS HFS+ is case-insensitive, and even then Path.GetFullPath preserves the original casing.

Was this helpful? React with 👍 / 👎

Suggested change
return string.Equals(Path.GetFullPath(dir), certDirFullPath, StringComparison.OrdinalIgnoreCase);
return string.Equals(Path.GetFullPath(dir), certDirFullPath, StringComparison.Ordinal);
  • Apply suggested fix

}
catch
{
// Ignore invalid directory entries in SSL_CERT_DIR
return false;
}
});

if (isCertDirIncluded)
{
// The certificate directory is already in SSL_CERT_DIR, no action needed
Log.UnixOpenSslCertificateDirectoryAlreadyConfigured(prettyCertDir, OpenSslCertificateDirectoryVariableName);
hasValidSslCertDir = true;
}
else
{
// SSL_CERT_DIR is set but doesn't include our directory - suggest appending
Log.UnixSuggestAppendingToEnvironmentVariable(prettyCertDir, OpenSslCertificateDirectoryVariableName);
hasValidSslCertDir = false;
}
}
else if (TryGetOpenSslDirectory(out var openSslDir))
{
Log.UnixSuggestSettingEnvironmentVariable(prettyCertDir, Path.Combine(openSslDir, "certs"), OpenSslCertificateDirectoryVariableName);
hasValidSslCertDir = false;
}
else
{
Log.UnixSuggestSettingEnvironmentVariableWithoutExample(prettyCertDir, OpenSslCertificateDirectoryVariableName);
hasValidSslCertDir = false;
}

sawTrustFailure = !hasValidSslCertDir;
Copy link

@gitar-bot-staging gitar-bot-staging bot Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Bug: sawTrustFailure overwrite can mask prior NSS DB trust failures

Line 408 unconditionally assigns sawTrustFailure = !hasValidSslCertDir, which can overwrite a previous true value set by NSS DB trust failures (lines 295, 322, 328).

Scenario: NSS DB trust fails (sawTrustFailure = true), but OpenSSL trust succeeds and SSL_CERT_DIR is correctly configured (hasValidSslCertDir = true). The assignment sawTrustFailure = false masks the NSS failure, and the method returns TrustLevel.Full instead of TrustLevel.Partial.

Fix: Use |= to accumulate failures rather than overwrite:

sawTrustFailure |= !hasValidSslCertDir;

This ensures that if any prior trust step failed, the overall result still reflects partial trust.

Was this helpful? React with 👍 / 👎

Suggested change
sawTrustFailure = !hasValidSslCertDir;
sawTrustFailure |= !hasValidSslCertDir;
  • Apply suggested fix

}

return sawTrustFailure
Expand Down Expand Up @@ -948,9 +991,18 @@ private static bool TryRehashOpenSslCertificates(string certificateDirectory)
return true;
}

private sealed class NssDb(string path, bool isFirefox)
private sealed class NssDb
{
public string Path => path;
public bool IsFirefox => isFirefox;
private readonly string _path;
private readonly bool _isFirefox;

public NssDb(string path, bool isFirefox)
{
_path = path;
_isFirefox = isFirefox;
}

public string Path => _path;
public bool IsFirefox => _isFirefox;
}
}
8 changes: 6 additions & 2 deletions src/Tools/dotnet-dev-certs/src/Program.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,16 +124,20 @@ public static int Main(string[] args)
{
var reporter = new ConsoleReporter(PhysicalConsole.Singleton, verbose.HasValue(), quiet.HasValue());

var listener = new ReporterEventListener(reporter);
if (verbose.HasValue())
{
var listener = new ReporterEventListener(reporter);
listener.EnableEvents(CertificateManager.Log, System.Diagnostics.Tracing.EventLevel.Verbose);
}
else
{
listener.EnableEvents(CertificateManager.Log, System.Diagnostics.Tracing.EventLevel.LogAlways);
}

if (checkJsonOutput.HasValue())
{
if (exportPath.HasValue() || trust?.HasValue() == true || format.HasValue() || noPassword.HasValue() || check.HasValue() || clean.HasValue() ||
(!import.HasValue() && password.HasValue()) ||
(!import.HasValue() && password.HasValue()) ||
(import.HasValue() && !password.HasValue()))
{
reporter.Error(InvalidUsageErrorMessage);
Expand Down