Managed to update rustls to version 0.21

2024-01-17 19:52:28 +01:00
parent 5609708848
commit e534deefae
5 changed files with 41 additions and 48 deletions
--- a/src/tcp_relay_client/relay_client.rs
+++ b/src/tcp_relay_client/relay_client.rs
@ -1,7 +1,6 @@
 use std::sync::Arc;

 use futures::{SinkExt, StreamExt};
-use hyper_rustls::ConfigBuilderExt;
 use rustls::RootCertStore;
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::{TcpListener, TcpStream};
@ -42,7 +41,17 @@ async fn relay_connection(ws_url: String, socket: TcpStream, conf: Arc<ClientCon
        let config = rustls::ClientConfig::builder().with_safe_defaults();

        let config = match conf.get_root_certificate() {
-            None => config.with_native_roots(),
+            None => {
+                // Perform a connection over TLS
+                let mut roots = RootCertStore::empty();
+                for cert in rustls_native_certs::load_native_certs()
+                    .expect("Failed to load native certificates")
+                {
+                    roots.add(&rustls::Certificate(cert.0)).unwrap();
+                }
+
+                config.with_root_certificates(roots)
+            }
            Some(cert) => {
                log::debug!("Using custom root certificates");
                let mut store = RootCertStore::empty();
@ -72,7 +81,7 @@ async fn relay_connection(ws_url: String, socket: TcpStream, conf: Arc<ClientCon
        let connector = tokio_tungstenite::Connector::Rustls(Arc::new(config));

        let (ws_stream, _) =
-            tokio_tungstenite::connect_async_tls_with_config(ws_url, None, Some(connector))
+            tokio_tungstenite::connect_async_tls_with_config(ws_url, None, false, Some(connector))
                .await
                .expect("Failed to connect to server relay!");

--- a/src/tcp_relay_server/mod.rs
+++ b/src/tcp_relay_server/mod.rs
@ -121,7 +121,7 @@ pub async fn run_app(mut config: ServerConfig) -> std::io::Result<()> {
    });

    if let Some(tls_conf) = tls_config {
-        server.bind_rustls(&args.listen_address, tls_conf)?
+        server.bind_rustls_021(&args.listen_address, tls_conf)?
    } else {
        server.bind(&args.listen_address)?
    }
--- a/src/tcp_relay_server/tls_cert_client_verifier.rs
+++ b/src/tcp_relay_server/tls_cert_client_verifier.rs
@ -1,9 +1,8 @@
 use std::sync::Arc;
 use std::time::SystemTime;

-use rustls::internal::msgs::enums::AlertDescription;
 use rustls::server::{AllowAnyAuthenticatedClient, ClientCertVerified, ClientCertVerifier};
-use rustls::{Certificate, DistinguishedNames, Error, RootCertStore};
+use rustls::{AlertDescription, Certificate, DistinguishedName, Error, RootCertStore};
 use x509_parser::prelude::{CertificateRevocationList, FromDer, X509Certificate};

 use crate::base::cert_utils::parse_pem_certificates;
@ -61,7 +60,7 @@ impl CustomCertClientVerifier {
        };

        Ok(Self {
-            upstream_cert_verifier: Box::new(AllowAnyAuthenticatedClient::new(store)),
+            upstream_cert_verifier: Box::new(Arc::new(AllowAnyAuthenticatedClient::new(store))),
            crl,
        })
    }
@ -72,12 +71,12 @@ impl ClientCertVerifier for CustomCertClientVerifier {
        true
    }

-    fn client_auth_mandatory(&self) -> Option<bool> {
-        Some(true)
+    fn client_auth_mandatory(&self) -> bool {
+        true
    }

-    fn client_auth_root_subjects(&self) -> Option<DistinguishedNames> {
-        Some(vec![])
+    fn client_auth_root_subjects(&self) -> &[DistinguishedName] {
+        &[]
    }

    fn verify_client_cert(