Upgrade to rustls 0.20

This commit is contained in:
Dirkjan Ochtman 2021-10-28 17:04:00 +02:00 committed by masalachai
parent d06d404c12
commit 8c01d983fa
2 changed files with 23 additions and 14 deletions

View File

@ -19,13 +19,12 @@ env_logger = "0.9"
log = "0.4" log = "0.4"
lazy_static = "1.4" lazy_static = "1.4"
quick-xml = { version = "0.22", features = [ "serialize" ] } quick-xml = { version = "0.22", features = [ "serialize" ] }
rustls = "0.19" rustls = "0.20"
rustls-pemfile = "0.2" rustls-pemfile = "0.2"
serde = { version = "1.0", features = ["derive"] } serde = { version = "1.0", features = ["derive"] }
tokio = { version = "1.0", features = [ "full" ] } tokio = { version = "1.0", features = [ "full" ] }
tokio-rustls = "0.22" tokio-rustls = "0.23"
webpki = "0.22" webpki-roots = "0.22.1"
webpki-roots = "0.21"
[dev-dependencies] [dev-dependencies]
tokio-test = "0.4" tokio-test = "0.4"

View File

@ -6,8 +6,9 @@ use bytes::BytesMut;
use std::convert::TryInto; use std::convert::TryInto;
use futures::executor::block_on; use futures::executor::block_on;
use std::{error::Error, net::ToSocketAddrs, io as stdio}; use std::{error::Error, net::ToSocketAddrs, io as stdio};
use tokio_rustls::{TlsConnector, rustls::ClientConfig, webpki::DNSNameRef, client::TlsStream}; use tokio_rustls::{TlsConnector, rustls::ClientConfig, client::TlsStream};
use tokio::{net::TcpStream, io::AsyncWriteExt, io::AsyncReadExt, io::split, io::ReadHalf, io::WriteHalf}; use tokio::{net::TcpStream, io::AsyncWriteExt, io::AsyncReadExt, io::split, io::ReadHalf, io::WriteHalf};
use rustls::{RootCertStore, OwnedTrustAnchor};
use crate::config::{EppClientConnection}; use crate::config::{EppClientConnection};
use crate::error; use crate::error;
@ -151,22 +152,31 @@ pub async fn epp_connect(registry_creds: &EppClientConnection) -> Result<Connect
.next() .next()
.ok_or_else(|| stdio::ErrorKind::NotFound)?; .ok_or_else(|| stdio::ErrorKind::NotFound)?;
let mut config = ClientConfig::new(); let mut roots = RootCertStore::empty();
roots.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
OwnedTrustAnchor::from_subject_spki_name_constraints(
ta.subject,
ta.spki,
ta.name_constraints,
)
}));
config let builder = ClientConfig::builder()
.root_store .with_safe_defaults()
.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS); .with_root_certificates(roots);
if let Some(tls) = registry_creds.tls_files() { let config = match registry_creds.tls_files() {
if let Err(e) = config.set_single_client_cert(tls.0, tls.1) { Some((cert_chain, key)) => match builder.with_single_cert(cert_chain, key) {
return Err(format!("Failed to set client TLS credentials: {}", e).into()) Ok(config) => config,
Err(e) => return Err(format!("Failed to set client TLS credentials: {}", e).into()),
} }
} None => builder.with_no_client_auth(),
};
let connector = TlsConnector::from(Arc::new(config)); let connector = TlsConnector::from(Arc::new(config));
let stream = TcpStream::connect(&addr).await?; let stream = TcpStream::connect(&addr).await?;
let domain = DNSNameRef::try_from_ascii_str(&host) let domain = host.as_str().try_into()
.map_err(|_| stdio::Error::new(stdio::ErrorKind::InvalidInput, format!("Invalid domain: {}", host)))?; .map_err(|_| stdio::Error::new(stdio::ErrorKind::InvalidInput, format!("Invalid domain: {}", host)))?;
let stream = connector.connect(domain, stream).await?; let stream = connector.connect(domain, stream).await?;