Skip to content

Commit

Permalink
RustlsConnector use ring crypto provider
Browse files Browse the repository at this point in the history
  • Loading branch information
algesten committed Jul 10, 2024
1 parent 4cb40c3 commit 330c548
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 9 deletions.
1 change: 1 addition & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ rustls-pemfile = { version = "2.1.2", optional = true, default-features = false
rustls-pki-types = { version = "1.7.0", optional = true, default-features = false, features = ["std"] }
rustls-native-certs = { version = "0.7.1", optional = true, default-features = false }

# ring has a higher chance of compiling cleanly without additional developer environment
rustls = { version = "0.23.11", optional = true, default-features = false, features = ["ring", "logging", "std", "tls12"] }

[build-dependencies]
Expand Down
26 changes: 17 additions & 9 deletions src/tls/rustls.rs
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ use std::time::Duration;
use http::uri::Scheme;
use once_cell::sync::OnceCell;
use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
use rustls::{ClientConfig, ClientConnection, RootCertStore, StreamOwned};
use rustls::{ClientConfig, ClientConnection, RootCertStore, StreamOwned, ALL_VERSIONS};
use rustls_pki_types::{
CertificateDer, PrivateKeyDer, PrivatePkcs1KeyDer, PrivatePkcs8KeyDer, PrivateSec1KeyDer,
ServerName,
Expand Down Expand Up @@ -77,19 +77,27 @@ impl Connector for RustlsConnector {
}

fn build_config(tls_config: &TlsConfig) -> Arc<ClientConfig> {
let root_certs = tls_config
.root_certs
.iter()
.map(|c| CertificateDer::from(c.der()));
let mut root_store = RootCertStore::empty();
root_store.add_parsable_certificates(root_certs);
// Improve chances of ureq working out-of-the-box by not requiring the user
// to select a default crypto provider.
let provider = Arc::new(rustls::crypto::ring::default_provider());

let builder = ClientConfig::builder_with_provider(provider)
.with_protocol_versions(ALL_VERSIONS)
.expect("all TLS versions");

let builder = if tls_config.disable_verification {
ClientConfig::builder()
builder
.dangerous()
.with_custom_certificate_verifier(Arc::new(DisabledVerifier))
} else {
ClientConfig::builder().with_root_certificates(root_store)
let root_certs = tls_config
.root_certs
.iter()
.map(|c| CertificateDer::from(c.der()));
let mut root_store = RootCertStore::empty();
root_store.add_parsable_certificates(root_certs);

builder.with_root_certificates(root_store)
};

let config = if let Some((certs, key)) = &tls_config.client_cert {
Expand Down

0 comments on commit 330c548

Please sign in to comment.