diff --git a/Cargo.toml b/Cargo.toml index c908326..33f06f4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -17,6 +17,7 @@ hyper-util = { version = "0.1", default-features = false, features = ["client-le log = { version = "0.4.4", optional = true } pki-types = { package = "rustls-pki-types", version = "1" } rustls-native-certs = { version = "0.7", optional = true } +rustls-platform-verifier = { version = "0.2", optional = true } rustls = { version = "0.22", default-features = false } tokio = "1.0" tokio-rustls = { version = "0.25", default-features = false } diff --git a/src/config.rs b/src/config.rs index a512433..886e65f 100644 --- a/src/config.rs +++ b/src/config.rs @@ -1,4 +1,11 @@ -#[cfg(any(feature = "rustls-native-certs", feature = "webpki-roots"))] +#[cfg(feature = "rustls-platform-verifier")] +use std::sync::Arc; + +#[cfg(any( + feature = "rustls-platform-verifier", + feature = "rustls-native-certs", + feature = "webpki-roots" +))] use rustls::client::WantsClientCert; use rustls::{ClientConfig, ConfigBuilder, WantsVerifier}; @@ -7,6 +14,10 @@ use rustls::{ClientConfig, ConfigBuilder, WantsVerifier}; /// This adds methods (gated by crate features) for easily configuring /// TLS server roots a rustls ClientConfig will trust. pub trait ConfigBuilderExt { + /// Use the platform's native verifier to verify server certificates. + #[cfg(feature = "rustls-platform-verifier")] + fn with_platform_verifier(self) -> ConfigBuilder; + /// This configures the platform's trusted certs, as implemented by /// rustls-native-certs /// @@ -22,6 +33,14 @@ pub trait ConfigBuilderExt { } impl ConfigBuilderExt for ConfigBuilder { + #[cfg(feature = "rustls-platform-verifier")] + fn with_platform_verifier(self) -> ConfigBuilder { + self.dangerous() + .with_custom_certificate_verifier(Arc::new( + rustls_platform_verifier::Verifier::default(), + )) + } + #[cfg(feature = "rustls-native-certs")] #[cfg_attr(not(feature = "logging"), allow(unused_variables))] fn with_native_roots(self) -> std::io::Result> { diff --git a/src/connector/builder.rs b/src/connector/builder.rs index 45a3daa..6144261 100644 --- a/src/connector/builder.rs +++ b/src/connector/builder.rs @@ -51,6 +51,18 @@ impl ConnectorBuilder { ConnectorBuilder(WantsSchemes { tls_config: config }) } + /// Use rustls' default crypto provider and other defaults, and the platform verifier + /// + /// See [`ConfigBuilderExt::with_platform_verifier()']. + #[cfg(all(feature = "ring", feature = "rustls-platform-verifier"))] + pub fn with_platform_verifier(self) -> ConnectorBuilder { + self.with_tls_config( + ClientConfig::builder() + .with_platform_verifier() + .with_no_client_auth(), + ) + } + /// Shorthand for using rustls' default crypto provider and safe defaults, with /// native roots. ///