diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7f94b76..5f93999 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -83,7 +83,7 @@ jobs: - name: Install rust toolchain uses: dtolnay/rust-toolchain@master with: - toolchain: "1.63" + toolchain: "1.64" - name: Check MSRV run: cargo check --lib --all-features diff --git a/Cargo.toml b/Cargo.toml index c908326..0bd3cf5 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -2,7 +2,7 @@ name = "hyper-rustls" version = "0.26.0" edition = "2021" -rust-version = "1.63" +rust-version = "1.64" license = "Apache-2.0 OR ISC OR MIT" readme = "README.md" description = "Rustls+hyper integration for pure rust HTTPS" @@ -17,6 +17,7 @@ hyper-util = { version = "0.1", default-features = false, features = ["client-le log = { version = "0.4.4", optional = true } pki-types = { package = "rustls-pki-types", version = "1" } rustls-native-certs = { version = "0.7", optional = true } +rustls-platform-verifier = { version = "0.2", optional = true } rustls = { version = "0.22", default-features = false } tokio = "1.0" tokio-rustls = { version = "0.25", default-features = false } diff --git a/src/config.rs b/src/config.rs index a512433..2af49c7 100644 --- a/src/config.rs +++ b/src/config.rs @@ -1,4 +1,11 @@ -#[cfg(any(feature = "rustls-native-certs", feature = "webpki-roots"))] +#[cfg(feature = "rustls-platform-verifier")] +use std::sync::Arc; + +#[cfg(any( + feature = "rustls-platform-verifier", + feature = "rustls-native-certs", + feature = "webpki-roots" +))] use rustls::client::WantsClientCert; use rustls::{ClientConfig, ConfigBuilder, WantsVerifier}; @@ -7,6 +14,14 @@ use rustls::{ClientConfig, ConfigBuilder, WantsVerifier}; /// This adds methods (gated by crate features) for easily configuring /// TLS server roots a rustls ClientConfig will trust. pub trait ConfigBuilderExt { + /// Use the platform's native verifier to verify server certificates. + /// + /// See the documentation for [rustls-platform-verifier] for more details. + /// + /// [rustls-platform-verifier]: https://docs.rs/rustls-platform-verifier + #[cfg(feature = "rustls-platform-verifier")] + fn with_platform_verifier(self) -> ConfigBuilder; + /// This configures the platform's trusted certs, as implemented by /// rustls-native-certs /// @@ -22,6 +37,14 @@ pub trait ConfigBuilderExt { } impl ConfigBuilderExt for ConfigBuilder { + #[cfg(feature = "rustls-platform-verifier")] + fn with_platform_verifier(self) -> ConfigBuilder { + self.dangerous() + .with_custom_certificate_verifier(Arc::new( + rustls_platform_verifier::Verifier::default(), + )) + } + #[cfg(feature = "rustls-native-certs")] #[cfg_attr(not(feature = "logging"), allow(unused_variables))] fn with_native_roots(self) -> std::io::Result> { diff --git a/src/connector/builder.rs b/src/connector/builder.rs index 45a3daa..3e1abda 100644 --- a/src/connector/builder.rs +++ b/src/connector/builder.rs @@ -51,6 +51,18 @@ impl ConnectorBuilder { ConnectorBuilder(WantsSchemes { tls_config: config }) } + /// Use rustls' default crypto provider and other defaults, and the platform verifier + /// + /// See [`ConfigBuilderExt::with_platform_verifier()`]. + #[cfg(all(feature = "ring", feature = "rustls-platform-verifier"))] + pub fn with_platform_verifier(self) -> ConnectorBuilder { + self.with_tls_config( + ClientConfig::builder() + .with_platform_verifier() + .with_no_client_auth(), + ) + } + /// Shorthand for using rustls' default crypto provider and safe defaults, with /// native roots. ///