Replace rustls-native-certs with rustls-platform-verifier

quinn-rs · Jan 4, 2024 · acca7f7 · acca7f7
1 parent 55234e1
commit acca7f7
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 23 deletions.
diff --git a/quinn-proto/Cargo.toml b/quinn-proto/Cargo.toml
@@ -19,8 +19,8 @@ maintenance = { status = "experimental" }
 [features]
 default = ["tls-rustls", "log"]
 tls-rustls = ["rustls", "ring"]
-# Provides `ClientConfig::with_native_roots()` convenience method
-native-certs = ["rustls-native-certs"]
+# Provides `ClientConfig::with_platform_verifier()` convenience method
+platform-verifier = ["rustls-platform-verifier"]
 # Write logs via the `log` crate when no `tracing` subscriber exists
 log = ["tracing/log"]
 
@@ -31,7 +31,7 @@ rustc-hash = "1.1"
 rand = "0.8"
 ring = { version = "0.16.7", optional = true }
 rustls = { version = "0.21.0", default-features = false, features = ["quic"], optional = true }
-rustls-native-certs = { version = "0.6", optional = true }
+rustls-platform-verifier = { version = "0.1", optional = true }
 slab = "0.4"
 thiserror = "1.0.21"
 tinyvec = { version = "1.1", features = ["alloc"] }

diff --git a/quinn-proto/src/config.rs b/quinn-proto/src/config.rs
@@ -908,23 +908,17 @@ impl ClientConfig {
 #[cfg(feature = "rustls")]
 impl ClientConfig {
     /// Create a client configuration that trusts the platform's native roots
-    #[cfg(feature = "native-certs")]
-    pub fn with_native_roots() -> Self {
-        let mut roots = rustls::RootCertStore::empty();
-        match rustls_native_certs::load_native_certs() {
-            Ok(certs) => {
-                for cert in certs {
-                    if let Err(e) = roots.add(&rustls::Certificate(cert.0)) {
-                        tracing::warn!("failed to parse trust anchor: {}", e);
-                    }
-                }
-            }
-            Err(e) => {
-                tracing::warn!("couldn't load any default trust roots: {}", e);
-            }
-        };
-
-        Self::with_root_certificates(roots)
+    #[cfg(feature = "platform-verifier")]
+    pub fn with_platform_verifier() -> Self {
+        let mut cfg = rustls::ClientConfig::builder()
+            .with_safe_default_cipher_suites()
+            .with_safe_default_kx_groups()
+            .with_protocol_versions(&[&rustls::version::TLS13])
+            .unwrap()
+            .with_custom_certificate_verifier(Arc::new(rustls_platform_verifier::Verifier::new()))
+            .with_no_client_auth();
+        cfg.enable_early_data = true;
+        Self::new(Arc::new(cfg))
     }
 
     /// Create a client configuration that trusts specified trust anchors

diff --git a/quinn/Cargo.toml b/quinn/Cargo.toml
@@ -15,11 +15,11 @@ rust-version = "1.65"
 all-features = true
 
 [features]
-default = ["native-certs", "tls-rustls", "runtime-tokio", "log"]
+default = ["platform-verifier", "tls-rustls", "runtime-tokio", "log"]
 # Records how long locks are held, and warns if they are held >= 1ms
 lock_tracking = []
-# Provides `ClientConfig::with_native_roots()` convenience method
-native-certs = ["proto/native-certs"]
+# Provides `ClientConfig::with_platform_verifier()` convenience method
+platform-verifier = ["proto/platform-verifier"]
 tls-rustls = ["rustls", "proto/tls-rustls", "ring"]
 # Enables `Endpoint::client` and `Endpoint::server` conveniences
 ring = ["proto/ring"]