Update to take advantage of rustls 0.21.1

g2p · djc · commit 129b0a09b1d3 · 2021-11-15T10:45:20.000+01:00
The extensions to rustls::ClientConfig in ClientConfigExt
that set root certificates now do just that, they don't go on to
configure / disable client auth.

The builder traits are unchanged, they set convenient defaults
(no client auth) but allow passing a custom rustls::ClientConfig.
diff --git a/Cargo.toml b/Cargo.toml
@@ -14,7 +14,7 @@ http = "0.2"
 hyper = { version = "0.14", default-features = false, features = ["client"] }
 log = { version = "0.4.4", optional = true }
 rustls-native-certs = { version = "0.6", optional = true }
-rustls = { version = "0.20", default-features = false }
+rustls = { version = "0.20.1", default-features = false }
 tokio = "1.0"
 tokio-rustls = { version = "0.23", default-features = false }
 webpki-roots = { version = "0.22", optional = true }
@@ -23,7 +23,7 @@ webpki-roots = { version = "0.22", optional = true }
 async-stream = "0.3.0"
 futures-util = { version = "0.3.1", default-features = false }
 hyper = { version = "0.14", features = ["full"] }
-rustls = { version = "0.20", default-features = false, features = ["tls12"] }
+rustls = { version = "0.20.1", default-features = false, features = ["tls12"] }
 rustls-pemfile = "0.2.1"
 tokio = { version = "1.0", features = ["io-std", "macros", "net", "rt-multi-thread"] }
 
diff --git a/examples/client.rs b/examples/client.rs
@@ -60,7 +60,8 @@ async fn run_client() -> io::Result<()> {
         // Default TLS client config with native roots
         None => rustls::ClientConfig::builder()
             .with_safe_defaults()
-            .with_native_roots(),
+            .with_native_roots()
+            .with_no_client_auth(),
     };
     // Prepare the HTTPS connector
     let https = hyper_rustls::HttpsConnectorBuilder::new()
diff --git a/src/config.rs b/src/config.rs
@@ -1,3 +1,4 @@
+use rustls::client::WantsTransparencyPolicyOrClientCert;
 use rustls::{ClientConfig, ConfigBuilder, WantsVerifier};
 
 /// Methods for configuring roots
@@ -9,20 +10,20 @@ pub trait ConfigBuilderExt {
     /// rustls-native-certs
     #[cfg(feature = "rustls-native-certs")]
     #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))]
-    fn with_native_roots(self) -> ClientConfig;
+    fn with_native_roots(self) -> ConfigBuilder<ClientConfig, WantsTransparencyPolicyOrClientCert>;
 
     /// This configures the webpki roots, which are Mozilla's set of
     /// trusted roots as packaged by webpki-roots.
     #[cfg(feature = "webpki-roots")]
     #[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))]
-    fn with_webpki_roots(self) -> ClientConfig;
+    fn with_webpki_roots(self) -> ConfigBuilder<ClientConfig, WantsTransparencyPolicyOrClientCert>;
 }
 
 impl ConfigBuilderExt for ConfigBuilder<ClientConfig, WantsVerifier> {
     #[cfg(feature = "rustls-native-certs")]
     #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))]
     #[cfg_attr(not(feature = "logging"), allow(unused_variables))]
-    fn with_native_roots(self) -> ClientConfig {
+    fn with_native_roots(self) -> ConfigBuilder<ClientConfig, WantsTransparencyPolicyOrClientCert> {
         let mut roots = rustls::RootCertStore::empty();
         let mut valid_count = 0;
         let mut invalid_count = 0;
@@ -41,16 +42,17 @@ impl ConfigBuilderExt for ConfigBuilder<ClientConfig, WantsVerifier> {
         }
         crate::log::debug!(
             "with_native_roots processed {} valid and {} invalid certs",
-            valid_count, invalid_count
+            valid_count,
+            invalid_count
         );
         assert!(!roots.is_empty(), "no CA certificates found");
 
-        self.with_root_certificates(roots).with_no_client_auth()
+        self.with_root_certificates(roots)
     }
 
     #[cfg(feature = "webpki-roots")]
     #[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))]
-    fn with_webpki_roots(self) -> ClientConfig {
+    fn with_webpki_roots(self) -> ConfigBuilder<ClientConfig, WantsTransparencyPolicyOrClientCert> {
         let mut roots = rustls::RootCertStore::empty();
         roots.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
             rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
@@ -59,6 +61,6 @@ impl ConfigBuilderExt for ConfigBuilder<ClientConfig, WantsVerifier> {
                 ta.name_constraints,
             )
         }));
-        self.with_root_certificates(roots).with_no_client_auth()
+        self.with_root_certificates(roots)
     }
 }
diff --git a/src/connector/builder.rs b/src/connector/builder.rs
@@ -58,7 +58,8 @@ impl ConnectorBuilder<WantsTlsConfig> {
         self.with_tls_config(
             ClientConfig::builder()
                 .with_safe_defaults()
-                .with_native_roots(),
+                .with_native_roots()
+                .with_no_client_auth(),
         )
     }
 
@@ -74,7 +75,8 @@ impl ConnectorBuilder<WantsTlsConfig> {
         self.with_tls_config(
             ClientConfig::builder()
                 .with_safe_defaults()
-                .with_webpki_roots(),
+                .with_webpki_roots()
+                .with_no_client_auth(),
         )
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,8 @@ impl ConnectorBuilder<WantsTlsConfig> {`
`58`	`58`	`self.with_tls_config(`
`59`	`59`	`ClientConfig::builder()`
`60`	`60`	`.with_safe_defaults()`
`61`		`- .with_native_roots(),`
	`61`	`+ .with_native_roots()`
	`62`	`+ .with_no_client_auth(),`
`62`	`63`	`)`
`63`	`64`	`}`
`64`	`65`
`@@ -74,7 +75,8 @@ impl ConnectorBuilder<WantsTlsConfig> {`
`74`	`75`	`self.with_tls_config(`
`75`	`76`	`ClientConfig::builder()`
`76`	`77`	`.with_safe_defaults()`
`77`		`- .with_webpki_roots(),`
	`78`	`+ .with_webpki_roots()`
	`79`	`+ .with_no_client_auth(),`
`78`	`80`	`)`
`79`	`81`	`}`
`80`	`82`	`}`