From 9e5b01e4f216f9ba6abdb662852866d99b06afa1 Mon Sep 17 00:00:00 2001 From: Benjamin Saunders Date: Thu, 4 Jan 2024 02:37:48 -0800 Subject: [PATCH] Replace rustls-native-certs with rustls-platform-verifier --- quinn-proto/Cargo.toml | 6 +++--- quinn-proto/src/config.rs | 28 +++++++++++----------------- quinn/Cargo.toml | 6 +++--- 3 files changed, 17 insertions(+), 23 deletions(-) diff --git a/quinn-proto/Cargo.toml b/quinn-proto/Cargo.toml index 3e9c59a8e..b0daf1e24 100644 --- a/quinn-proto/Cargo.toml +++ b/quinn-proto/Cargo.toml @@ -19,8 +19,8 @@ maintenance = { status = "experimental" } [features] default = ["tls-rustls", "log"] tls-rustls = ["rustls", "ring"] -# Provides `ClientConfig::with_native_roots()` convenience method -native-certs = ["rustls-native-certs"] +# Provides `ClientConfig::with_platform_verifier()` convenience method +platform-verifier = ["rustls-platform-verifier"] # Write logs via the `log` crate when no `tracing` subscriber exists log = ["tracing/log"] @@ -31,7 +31,7 @@ rustc-hash = "1.1" rand = "0.8" ring = { version = "0.16.7", optional = true } rustls = { version = "0.21.0", default-features = false, features = ["quic"], optional = true } -rustls-native-certs = { version = "0.6", optional = true } +rustls-platform-verifier = { version = "0.1.1", optional = true } slab = "0.4" thiserror = "1.0.21" tinyvec = { version = "1.1", features = ["alloc"] } diff --git a/quinn-proto/src/config.rs b/quinn-proto/src/config.rs index 538a97b0e..9194db374 100644 --- a/quinn-proto/src/config.rs +++ b/quinn-proto/src/config.rs @@ -908,23 +908,17 @@ impl ClientConfig { #[cfg(feature = "rustls")] impl ClientConfig { /// Create a client configuration that trusts the platform's native roots - #[cfg(feature = "native-certs")] - pub fn with_native_roots() -> Self { - let mut roots = rustls::RootCertStore::empty(); - match rustls_native_certs::load_native_certs() { - Ok(certs) => { - for cert in certs { - if let Err(e) = roots.add(&rustls::Certificate(cert.0)) { - tracing::warn!("failed to parse trust anchor: {}", e); - } - } - } - Err(e) => { - tracing::warn!("couldn't load any default trust roots: {}", e); - } - }; - - Self::with_root_certificates(roots) + #[cfg(feature = "platform-verifier")] + pub fn with_platform_verifier() -> Self { + let mut cfg = rustls::ClientConfig::builder() + .with_safe_default_cipher_suites() + .with_safe_default_kx_groups() + .with_protocol_versions(&[&rustls::version::TLS13]) + .unwrap() + .with_custom_certificate_verifier(Arc::new(rustls_platform_verifier::Verifier::new())) + .with_no_client_auth(); + cfg.enable_early_data = true; + Self::new(Arc::new(cfg)) } /// Create a client configuration that trusts specified trust anchors diff --git a/quinn/Cargo.toml b/quinn/Cargo.toml index 030c1de8f..77da91df7 100644 --- a/quinn/Cargo.toml +++ b/quinn/Cargo.toml @@ -15,11 +15,11 @@ rust-version = "1.65" all-features = true [features] -default = ["native-certs", "tls-rustls", "runtime-tokio", "log"] +default = ["platform-verifier", "tls-rustls", "runtime-tokio", "log"] # Records how long locks are held, and warns if they are held >= 1ms lock_tracking = [] -# Provides `ClientConfig::with_native_roots()` convenience method -native-certs = ["proto/native-certs"] +# Provides `ClientConfig::with_platform_verifier()` convenience method +platform-verifier = ["proto/platform-verifier"] tls-rustls = ["rustls", "proto/tls-rustls", "ring"] # Enables `Endpoint::client` and `Endpoint::server` conveniences ring = ["proto/ring"]