fix: make sure actix-web uses newest rustls everywhere

2021-10-20 22:24:59 +03:00 · 2021-10-20 22:24:59 +03:00 · 8e366d99f1
parent d6a405a8f8
commit 8e366d99f1
3 changed files with 22 additions and 8 deletions
--- a/actix-http/Cargo.toml
+++ b/actix-http/Cargo.toml
@ -27,7 +27,7 @@ default = []
 openssl = ["actix-tls/openssl"]

 # rustls support
-rustls = ["actix-tls/rustls"]
+rustls = ["actix-tls/rustls", "tls-rustls"]

 # enable compression support
 compress-brotli = ["brotli2", "__compress"]
@ -81,6 +81,7 @@ flate2 = { version = "1.0.13", optional = true }
 zstd = { version = "0.7", optional = true }

 trust-dns-resolver = { version = "0.20.0", optional = true }
+tls-rustls = { version = "0.20.0", package = "rustls", optional = true }

 [dev-dependencies]
 actix-server = "2.0.0-beta.3"
@ -94,7 +95,7 @@ regex = "1.3"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 tls-openssl = { version = "0.10", package = "openssl" }
-tls-rustls = { version = "0.19", package = "rustls" }
+tls-rustls = { version = "0.20", package = "rustls" }
 webpki = { version = "0.21" }

 [[example]]
--- a/actix-http/src/client/connector.rs
+++ b/actix-http/src/client/connector.rs
@ -100,11 +100,24 @@ impl Connector<()> {
    // Build Ssl connector with rustls, based on supplied alpn protocols
    #[cfg(all(not(feature = "openssl"), feature = "rustls"))]
    fn build_ssl(protocols: Vec<Vec<u8>>) -> SslConnector {
-        let mut config = ClientConfig::new();
-        config.set_protocols(&protocols);
-        config.root_store.add_server_trust_anchors(
-            &actix_tls::connect::ssl::rustls::TLS_SERVER_ROOTS,
-        );
+        let anchors = &actix_tls::connect::ssl::rustls::TLS_SERVER_ROOTS;
+        let mut config = ClientConfig::builder()
+            .with_safe_defaults()
+            .with_root_certificates(tls_rustls::RootCertStore {
+                roots: anchors
+                    .0
+                    .into_iter()
+                    .map(|anchor| {
+                        tls_rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
+                            anchor.subject,
+                            anchor.spki,
+                            anchor.name_constraints,
+                        )
+                    })
+                    .collect(),
+            })
+            .with_no_client_auth();
+        config.alpn_protocols = protocols;
        SslConnector::Rustls(std::sync::Arc::new(config))
    }

--- a/awc/Cargo.toml
+++ b/awc/Cargo.toml
@ -74,7 +74,7 @@ serde = "1.0"
 serde_json = "1.0"
 serde_urlencoded = "0.7"
 tls-openssl = { version = "0.10.9", package = "openssl", optional = true }
-tls-rustls = { version = "0.19.0", package = "rustls", optional = true, features = ["dangerous_configuration"] }
+tls-rustls = { version = "0.20.0", package = "rustls", optional = true, features = ["dangerous_configuration"] }

 [dev-dependencies]
 actix-web = { version = "4.0.0-beta.9", features = ["openssl"] }