chore: Bump rustls to 0.20.0 (#2416)

Co-authored-by: Kirill Mironov <vetrokm@gmail.com>
2025-06-26 15:07:42 +02:00 · 2021-10-20 02:00:11 +01:00
parent 591abc37c3
commit 4f6f0b0137
15 changed files with 162 additions and 73 deletions
--- a/awc/tests/test_rustls_client.rs
+++ b/awc/tests/test_rustls_client.rs
@ -8,6 +8,7 @@ use std::{
        atomic::{AtomicUsize, Ordering},
        Arc,
    },
+    time::SystemTime,
 };

 use actix_http::HttpService;
@ -15,37 +16,52 @@ use actix_http_test::test_server;
 use actix_service::{fn_service, map_config, ServiceFactoryExt};
 use actix_utils::future::ok;
 use actix_web::{dev::AppConfig, http::Version, web, App, HttpResponse};
-use rustls::internal::pemfile::{certs, pkcs8_private_keys};
-use rustls::{ClientConfig, NoClientAuth, ServerConfig};
+use rustls::{
+    client::{ServerCertVerified, ServerCertVerifier},
+    Certificate, ClientConfig, OwnedTrustAnchor, PrivateKey, RootCertStore, ServerConfig,
+    ServerName,
+};
+use rustls_pemfile::{certs, pkcs8_private_keys};
+use webpki_roots::TLS_SERVER_ROOTS;

 fn tls_config() -> ServerConfig {
    let cert = rcgen::generate_simple_self_signed(vec!["localhost".to_owned()]).unwrap();
    let cert_file = cert.serialize_pem().unwrap();
    let key_file = cert.serialize_private_key_pem();

-    let mut config = ServerConfig::new(NoClientAuth::new());
    let cert_file = &mut BufReader::new(cert_file.as_bytes());
    let key_file = &mut BufReader::new(key_file.as_bytes());

-    let cert_chain = certs(cert_file).unwrap();
+    let cert_chain = certs(cert_file)
+        .unwrap()
+        .into_iter()
+        .map(Certificate)
+        .collect();
    let mut keys = pkcs8_private_keys(key_file).unwrap();
-    config.set_single_cert(cert_chain, keys.remove(0)).unwrap();

-    config
+    ServerConfig::builder()
+        .with_safe_defaults()
+        .with_no_client_auth()
+        .with_single_cert(cert_chain, PrivateKey(keys.remove(0)))
+        .unwrap()
 }

 mod danger {
+    use super::*;
+
    pub struct NoCertificateVerification;

-    impl rustls::ServerCertVerifier for NoCertificateVerification {
+    impl ServerCertVerifier for NoCertificateVerification {
        fn verify_server_cert(
            &self,
-            _roots: &rustls::RootCertStore,
-            _presented_certs: &[rustls::Certificate],
-            _dns_name: webpki::DNSNameRef<'_>,
-            _ocsp: &[u8],
-        ) -> Result<rustls::ServerCertVerified, rustls::TLSError> {
-            Ok(rustls::ServerCertVerified::assertion())
+            _end_entity: &Certificate,
+            _intermediates: &[Certificate],
+            _server_name: &ServerName,
+            _scts: &mut dyn Iterator<Item = &[u8]>,
+            _ocsp_response: &[u8],
+            _now: SystemTime,
+        ) -> Result<ServerCertVerified, rustls::Error> {
+            Ok(ServerCertVerified::assertion())
        }
    }
 }
@ -73,10 +89,26 @@ async fn test_connection_reuse_h2() {
    })
    .await;

-    // disable TLS verification
-    let mut config = ClientConfig::new();
+    let mut root_certs = RootCertStore::empty();
+    for cert in TLS_SERVER_ROOTS.0 {
+        let cert = OwnedTrustAnchor::from_subject_spki_name_constraints(
+            cert.subject,
+            cert.spki,
+            cert.name_constraints,
+        );
+        let certs = vec![cert].into_iter();
+        root_certs.add_server_trust_anchors(certs);
+    }
+
+    let mut config = ClientConfig::builder()
+        .with_safe_defaults()
+        .with_root_certificates(root_certs)
+        .with_no_client_auth();
+
    let protos = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
-    config.set_protocols(&protos);
+    config.alpn_protocols = protos;
+
+    // disable TLS verification
    config
        .dangerous()
        .set_certificate_verifier(Arc::new(danger::NoCertificateVerification));