berkus
/
actix-web
mirror of https://github.com/fafhrd91/actix-web
1
0
Fork 0
Code Issues Releases Wiki Activity

awc: add rustls 0.23 support 

This also fixes certificate lookup when native-roots is enabled for rustls 0.22.
This commit is contained in:
asonix 2024-05-12 17:33:31 -05:00
parent 50aa448fd7
commit 22f44148ca
2 changed files with 89 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
awc/Cargo.toml
View File

@ -27,6 +27,7 @@ features = [
"rustls-0_20",
"rustls-0_21",
"rustls-0_22-webpki-roots",
"rustls-0_23-webpki-roots",
"compress-brotli",
"compress-gzip",
"compress-zstd",
@ -48,6 +49,10 @@ rustls-0_21 = ["tls-rustls-0_21", "actix-tls/rustls-0_21"]
rustls-0_22-webpki-roots = ["tls-rustls-0_22", "actix-tls/rustls-0_22-webpki-roots"]
# TLS via Rustls v0.22 (Native roots)
rustls-0_22-native-roots = ["tls-rustls-0_22", "actix-tls/rustls-0_22-native-roots"]
# TLS via Rustls v0.22 (WebPKI roots)
rustls-0_23-webpki-roots = ["tls-rustls-0_23", "actix-tls/rustls-0_23-webpki-roots"]
# TLS via Rustls v0.22 (Native roots)
rustls-0_23-native-roots = ["tls-rustls-0_23", "actix-tls/rustls-0_23-native-roots"]
# Brotli algorithm content-encoding support
compress-brotli = ["actix-http/compress-brotli", "__compress"]
@ -104,6 +109,7 @@ tls-openssl = { package = "openssl", version = "0.10.55", optional = true }
tls-rustls-0_20 = { package = "rustls", version = "0.20", optional = true, features = ["dangerous_configuration"] }
tls-rustls-0_21 = { package = "rustls", version = "0.21", optional = true, features = ["dangerous_configuration"] }
tls-rustls-0_22 = { package = "rustls", version = "0.22", optional = true }
tls-rustls-0_23 = { package = "rustls", version = "0.23", optional = true, default-features = false }
trust-dns-resolver = { version = "0.23", optional = true }

87
awc/src/client/connector.rs
View File

@ -57,6 +57,13 @@ enum OurTlsConnector {
))]
#[allow(dead_code)] // false positive; used in build_tls
Rustls022(std::sync::Arc<actix_tls::connect::rustls_0_22::reexports::ClientConfig>),
#[cfg(any(
feature = "rustls-0_23-webpki-roots",
feature = "rustls-0_23-native-roots",
))]
#[allow(dead_code)] // false positive; used in build_tls
Rustls023(std::sync::Arc<actix_tls::connect::rustls_0_23::reexports::ClientConfig>),
}
/// Manages HTTP client network connectivity.
@ -96,10 +103,32 @@ impl Connector<()> {
}
cfg_if::cfg_if! {
if #[cfg(any(feature = "rustls-0_22-webpki-roots", feature = "rustls-0_22-webpki-roots"))] {
/// Build TLS connector with Rustls v0.22, based on supplied ALPN protocols.
if #[cfg(any(feature = "rustls-0_23-webpki-roots", feature = "rustls-0_23-native-roots"))] {
/// Build TLS connector with Rustls v0.23, based on supplied ALPN protocols.
///
/// Note that if other TLS crate features are enabled, Rustls v0.22 will be used.
/// Note that if other TLS crate features are enabled, Rustls v0.23 will be used.
fn build_tls(protocols: Vec<Vec<u8>>) -> OurTlsConnector {
use actix_tls::connect::rustls_0_23::{self, reexports::ClientConfig};
cfg_if::cfg_if! {
if #[cfg(feature = "rustls-0_23-webpki-roots")] {
let certs = rustls_0_23::webpki_roots_cert_store();
} else if #[cfg(feature = "rustls-0_23-native-roots")] {
let certs = rustls_0_23::native_roots_cert_store().expect("Failed to find native root certificates");
}
}
let mut config = ClientConfig::builder()
.with_root_certificates(certs)
.with_no_client_auth();
config.alpn_protocols = protocols;
OurTlsConnector::Rustls023(std::sync::Arc::new(config))
}
} else if #[cfg(any(feature = "rustls-0_22-webpki-roots", feature = "rustls-0_22-native-roots"))] {
/// Build TLS connector with Rustls v0.22, based on supplied ALPN protocols.
fn build_tls(protocols: Vec<Vec<u8>>) -> OurTlsConnector {
use actix_tls::connect::rustls_0_22::{self, reexports::ClientConfig};
@ -107,7 +136,7 @@ impl Connector<()> {
if #[cfg(feature = "rustls-0_22-webpki-roots")] {
let certs = rustls_0_22::webpki_roots_cert_store();
} else if #[cfg(feature = "rustls-0_22-native-roots")] {
let certs = rustls_0_22::native_roots_cert_store();
let certs = rustls_0_22::native_roots_cert_store().expect("Failed to find native root certificates");
}
}
@ -278,6 +307,19 @@ where
self
}
/// Sets custom Rustls v0.23 `ClientConfig` instance.
#[cfg(any(
feature = "rustls-0_23-webpki-roots",
feature = "rustls-0_23-native-roots",
))]
pub fn rustls_0_23(
mut self,
connector: std::sync::Arc<actix_tls::connect::rustls_0_23::reexports::ClientConfig>,
) -> Self {
self.tls = OurTlsConnector::Rustls023(connector);
self
}
/// Sets maximum supported HTTP major version.
///
/// Supported versions are HTTP/1.1 and HTTP/2.
@ -588,6 +630,43 @@ where
Some(actix_service::boxed::rc_service(tls_service))
}
#[cfg(any(
feature = "rustls-0_23-webpki-roots",
feature = "rustls-0_23-native-roots",
))]
OurTlsConnector::Rustls023(tls) => {
const H2: &[u8] = b"h2";
use actix_tls::connect::rustls_0_23::{reexports::AsyncTlsStream, TlsConnector};
#[allow(non_local_definitions)]
impl<Io: ConnectionIo> IntoConnectionIo for TcpConnection<Uri, AsyncTlsStream<Io>> {
fn into_connection_io(self) -> (Box<dyn ConnectionIo>, Protocol) {
let sock = self.into_parts().0;
let h2 = sock
.get_ref()
.1
.alpn_protocol()
.map_or(false, |protos| protos.windows(2).any(|w| w == H2));
if h2 {
(Box::new(sock), Protocol::Http2)
} else {
(Box::new(sock), Protocol::Http1)
}
}
}
let handshake_timeout = self.config.handshake_timeout;
let tls_service = TlsConnectorService {
tcp_service: tcp_service_inner,
tls_service: TlsConnector::service(tls),
timeout: handshake_timeout,
};
Some(actix_service::boxed::rc_service(tls_service))
}
};
let tcp_config = self.config.no_disconnect_timeout();