diff --git a/Cargo.toml b/Cargo.toml index 91ab659..2ecd110 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -9,8 +9,8 @@ repository = "https://github.com/instant-labs/instant-epp" [features] default = ["rustls-aws-lc-rs"] -rustls-aws-lc-rs = ["dep:tokio-rustls", "tokio-rustls/aws-lc-rs", "dep:rustls-native-certs"] -rustls-ring = ["dep:tokio-rustls", "tokio-rustls/ring", "dep:rustls-native-certs"] +rustls-aws-lc-rs = ["dep:tokio-rustls", "tokio-rustls/aws-lc-rs", "dep:rustls-platform-verifier"] +rustls-ring = ["dep:tokio-rustls", "tokio-rustls/ring", "dep:rustls-platform-verifier"] __rustls = [] [dependencies] @@ -18,7 +18,7 @@ async-trait = "0.1.52" celes = "2.1" chrono = { version = "0.4.23", features = ["serde"] } instant-xml = { version = "0.5", features = ["chrono"] } -rustls-native-certs = { version = "0.8", optional = true } +rustls-platform-verifier = { version = "0.3", optional = true } serde = { version = "1.0", features = ["derive"] } tokio = { version = "1.0", features = ["io-util", "net", "time"] } tokio-rustls = { version = "0.26", optional = true, default-features = false, features = ["logging", "tls12"] } diff --git a/deny.toml b/deny.toml index 68bc2e1..97f22e4 100644 --- a/deny.toml +++ b/deny.toml @@ -4,6 +4,7 @@ allow = [ "BSD-3-Clause", "ISC", "MIT", + "MPL-2.0", "OpenSSL", "Unicode-DFS-2016", ] diff --git a/src/client.rs b/src/client.rs index 14ee530..3b94b9a 100644 --- a/src/client.rs +++ b/src/client.rs @@ -215,12 +215,12 @@ mod rustls_connector { use std::time::Duration; use async_trait::async_trait; - use rustls_native_certs::CertificateResult; + use rustls_platform_verifier::Verifier; use tokio::net::lookup_host; use tokio::net::TcpStream; use tokio_rustls::client::TlsStream; use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer, ServerName}; - use tokio_rustls::rustls::{ClientConfig, RootCertStore}; + use tokio_rustls::rustls::ClientConfig; use tokio_rustls::TlsConnector; use tracing::info; @@ -238,19 +238,10 @@ mod rustls_connector { server: (String, u16), identity: Option<(Vec>, PrivateKeyDer<'static>)>, ) -> Result { - let mut roots = RootCertStore::empty(); - let CertificateResult { - certs, mut errors, .. - } = rustls_native_certs::load_native_certs(); - if let Some(err) = errors.pop() { - return Err(Error::Other(err.into())); - } + let builder = ClientConfig::builder() + .dangerous() + .with_custom_certificate_verifier(Arc::new(Verifier::new())); - for cert in certs { - roots.add(cert).map_err(|err| Error::Other(err.into()))?; - } - - let builder = ClientConfig::builder().with_root_certificates(roots); let config = match identity { Some((certs, key)) => builder .with_client_auth_cert(certs, key)