Add changes from PR tafia#28 for updates due to tokio-rustls bump

Sean Karlage · Sean Karlage · commit d7b061281132 · 2023-05-06T21:54:11.000-04:00
diff --git a/Changelog.md b/Changelog.md
@@ -8,6 +8,9 @@
   - test: Adding missing tests
   - chore: Changes to the build process or auxiliary tools/libraries/documentation
 
+## 0.9.1
+- feat: upgrade rustls stack to tokio-rustls 0.23
+
 ## 0.9.0
 - feat: upgrade to tokio 1.0
 - feat: add tokio-openssl support
diff --git a/src/lib.rs b/src/lib.rs
@@ -85,7 +85,7 @@ use openssl::ssl::{SslConnector as OpenSslConnector, SslMethod};
 #[cfg(feature = "openssl-tls")]
 use tokio_openssl::SslStream;
 #[cfg(feature = "rustls-base")]
-use webpki::DNSNameRef;
+use tokio_rustls::rustls::ServerName;
 
 type BoxError = Box<dyn std::error::Error + Send + Sync>;
 
@@ -288,19 +288,31 @@ impl<C> ProxyConnector<C> {
     /// Create a new secured Proxies
     #[cfg(feature = "rustls-base")]
     pub fn new(connector: C) -> Result<Self, io::Error> {
-        let mut config = tokio_rustls::rustls::ClientConfig::new();
+        let mut config = tokio_rustls::rustls::ClientConfig::builder();
 
         #[cfg(feature = "rustls")]
         {
-            config.root_store =
-                rustls_native_certs::load_native_certs().map_err(|(_store, io)| io)?;
+            let mut roots = tokio_rustls::rustls::RootCertStore::empty();
+            for cert in rustls_native_certs::load_native_certs()? {
+                let cert = rustls::Certificate(cert.0);
+                roots.add(&cert).map_err(io_err)?;
+            }
+            config.with_root_certificates(roots).with_no_client_auth()
         }
 
         #[cfg(feature = "rustls-webpki")]
         {
-            config
-                .root_store
-                .add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
+            let mut roots = tokio_rustls::rustls::RootCertStore::empty();
+            roots.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.into_iter().map(
+                |trust_achor| {
+                    rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
+                        trust_anchor.subject,
+                        trust_anchor.spki,
+                        trust_anchor.name_constraints,
+                    )
+                }
+            ));
+            config.with_root_certificates(roots).with_no_client_auth()
         }
 
         let cfg = Arc::new(config);
@@ -442,7 +454,13 @@ where
         if let (Some(p), Some(host)) = (self.match_proxy(&uri), uri.host()) {
             if uri.scheme() == Some(&http::uri::Scheme::HTTPS) || p.force_connect {
                 let host = host.to_owned();
-                let port = uri.port_u16().unwrap_or(if uri.scheme() == Some(&http::uri::Scheme::HTTP) { 80 } else { 443 });
+                let port =
+                    uri.port_u16()
+                        .unwrap_or(if uri.scheme() == Some(&http::uri::Scheme::HTTP) {
+                            80
+                        } else {
+                            443
+                        });
                 let tunnel = tunnel::new(&host, port, &p.headers);
                 let connection =
                     proxy_dst(&uri, &p.uri).map(|proxy_url| self.connector.call(proxy_url));
@@ -471,7 +489,7 @@ where
                             #[cfg(feature = "rustls-base")]
                             Some(tls) => {
                                 let dnsref =
-                                    mtry!(DNSNameRef::try_from_ascii_str(&host).map_err(io_err));
+                                    mtry!(ServerName::try_from(host.as_str()).map_err(io_err));
                                 let tls = TlsConnector::from(tls);
                                 let secure_stream =
                                     mtry!(tls.connect(dnsref, tunnel_stream).await.map_err(io_err));
