chore: Bump rustls to 0.20.0 (#2416)

Co-authored-by: Kirill Mironov <vetrokm@gmail.com>

awc/CHANGES.md

@@ -1,6 +1,9 @@
 # Changes
 
 ## Unreleased - 2021-xx-xx
+* Updated rustls to v0.20. [#2414]
+
+[#2414]: https://github.com/actix/actix-web/pull/2414
 
 
 ## 3.0.0-beta.8 - 2021-09-09

awc/Cargo.toml

@@ -73,8 +73,8 @@ rand = "0.8"
 serde = "1.0"
 serde_json = "1.0"
 serde_urlencoded = "0.7"
-tls-openssl = { version = "0.10.9", package = "openssl", optional = true }
-tls-rustls = { version = "0.19.0", package = "rustls", optional = true, features = ["dangerous_configuration"] }
+tls-openssl = { package = "openssl", version = "0.10.9", optional = true }
+tls-rustls = { package = "rustls", version = "0.20.0", optional = true, features = ["dangerous_configuration"] }
 
 [dev-dependencies]
 actix-web = { version = "4.0.0-beta.9", features = ["openssl"] }
@@ -82,7 +82,7 @@ actix-http = { version = "3.0.0-beta.10", features = ["openssl"] }
 actix-http-test = { version = "3.0.0-beta.5", features = ["openssl"] }
 actix-utils = "3.0.0"
 actix-server = "2.0.0-beta.3"
-actix-tls = { version = "3.0.0-beta.5", features = ["openssl", "rustls"] }
+actix-tls = { version = "3.0.0-beta.6", features = ["openssl", "rustls"] }
 actix-test = { version = "0.1.0-beta.3", features = ["openssl", "rustls"] }
 
 brotli2 = "0.3.2"
@@ -90,7 +90,9 @@ env_logger = "0.8"
 flate2 = "1.0.13"
 futures-util = { version = "0.3.7", default-features = false }
 rcgen = "0.8"
-webpki = "0.21"
+rustls-pemfile = "0.2"
+webpki = "0.22"
+webpki-roots = "0.22"
 
 [[example]]
 name = "client"

awc/tests/test_rustls_client.rs

@@ -8,6 +8,7 @@ use std::{
         atomic::{AtomicUsize, Ordering},
         Arc,
     },
+    time::SystemTime,
 };
 
 use actix_http::HttpService;
@@ -15,37 +16,52 @@ use actix_http_test::test_server;
 use actix_service::{fn_service, map_config, ServiceFactoryExt};
 use actix_utils::future::ok;
 use actix_web::{dev::AppConfig, http::Version, web, App, HttpResponse};
-use rustls::internal::pemfile::{certs, pkcs8_private_keys};
-use rustls::{ClientConfig, NoClientAuth, ServerConfig};
+use rustls::{
+    client::{ServerCertVerified, ServerCertVerifier},
+    Certificate, ClientConfig, OwnedTrustAnchor, PrivateKey, RootCertStore, ServerConfig,
+    ServerName,
+};
+use rustls_pemfile::{certs, pkcs8_private_keys};
+use webpki_roots::TLS_SERVER_ROOTS;
 
 fn tls_config() -> ServerConfig {
     let cert = rcgen::generate_simple_self_signed(vec!["localhost".to_owned()]).unwrap();
     let cert_file = cert.serialize_pem().unwrap();
     let key_file = cert.serialize_private_key_pem();
 
-    let mut config = ServerConfig::new(NoClientAuth::new());
     let cert_file = &mut BufReader::new(cert_file.as_bytes());
     let key_file = &mut BufReader::new(key_file.as_bytes());
 
-    let cert_chain = certs(cert_file).unwrap();
+    let cert_chain = certs(cert_file)
+        .unwrap()
+        .into_iter()
+        .map(Certificate)
+        .collect();
     let mut keys = pkcs8_private_keys(key_file).unwrap();
-    config.set_single_cert(cert_chain, keys.remove(0)).unwrap();
 
-    config
+    ServerConfig::builder()
+        .with_safe_defaults()
+        .with_no_client_auth()
+        .with_single_cert(cert_chain, PrivateKey(keys.remove(0)))
+        .unwrap()
 }
 
 mod danger {
+    use super::*;
+
     pub struct NoCertificateVerification;
 
-    impl rustls::ServerCertVerifier for NoCertificateVerification {
+    impl ServerCertVerifier for NoCertificateVerification {
         fn verify_server_cert(
             &self,
-            _roots: &rustls::RootCertStore,
-            _presented_certs: &[rustls::Certificate],
-            _dns_name: webpki::DNSNameRef<'_>,
-            _ocsp: &[u8],
-        ) -> Result<rustls::ServerCertVerified, rustls::TLSError> {
-            Ok(rustls::ServerCertVerified::assertion())
+            _end_entity: &Certificate,
+            _intermediates: &[Certificate],
+            _server_name: &ServerName,
+            _scts: &mut dyn Iterator<Item = &[u8]>,
+            _ocsp_response: &[u8],
+            _now: SystemTime,
+        ) -> Result<ServerCertVerified, rustls::Error> {
+            Ok(ServerCertVerified::assertion())
         }
     }
 }
@@ -73,10 +89,26 @@ async fn test_connection_reuse_h2() {
     })
     .await;
 
-    // disable TLS verification
-    let mut config = ClientConfig::new();
+    let mut root_certs = RootCertStore::empty();
+    for cert in TLS_SERVER_ROOTS.0 {
+        let cert = OwnedTrustAnchor::from_subject_spki_name_constraints(
+            cert.subject,
+            cert.spki,
+            cert.name_constraints,
+        );
+        let certs = vec![cert].into_iter();
+        root_certs.add_server_trust_anchors(certs);
+    }
+
+    let mut config = ClientConfig::builder()
+        .with_safe_defaults()
+        .with_root_certificates(root_certs)
+        .with_no_client_auth();
+
     let protos = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
-    config.set_protocols(&protos);
+    config.alpn_protocols = protos;
+
+    // disable TLS verification
     config
         .dangerous()
         .set_certificate_verifier(Arc::new(danger::NoCertificateVerification));