feat(download/rustls): use rustls-platform-verifier

rami3l · rami3l · commit 2ad58f6fbf91 · 2024-06-25T10:40:02.000+08:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/download/Cargo.toml b/download/Cargo.toml
@@ -9,14 +9,21 @@ default = ["reqwest-backend", "reqwest-rustls-tls", "reqwest-native-tls"]
 curl-backend = ["curl"]
 reqwest-backend = ["reqwest", "env_proxy"]
 reqwest-native-tls = ["reqwest/native-tls", "dep:once_cell"]
-reqwest-rustls-tls = ["reqwest/rustls-tls-native-roots", "dep:once_cell"]
+reqwest-rustls-tls = [
+  "reqwest/rustls-tls-manual-roots-no-provider",
+  "dep:rustls",
+  "dep:rustls-platform-verifier",
+  "dep:once_cell",
+]
 
 [dependencies]
 anyhow.workspace = true
 curl = { version = "0.4.44", optional = true }
 env_proxy = { version = "0.4.1", optional = true }
 once_cell = { workspace = true, optional = true }
 reqwest = { version = "0.12", default-features = false, features = ["blocking", "gzip", "socks", "stream"], optional = true }
+rustls = { version = "0.23", optional = true, default-features = false, features = ["logging", "ring", "tls12"] }
+rustls-platform-verifier = { version = "0.3", optional = true }
 thiserror.workspace = true
 tokio = { workspace = true, default-features = false, features = ["sync"] }
 tokio-stream.workspace = true
diff --git a/download/src/lib.rs b/download/src/lib.rs
@@ -293,16 +293,22 @@ pub mod reqwest_be {
     ))]
     compile_error!("Must select a reqwest TLS backend");
 
-    use std::io;
-    use std::time::Duration;
+    use std::{io, time::Duration};
+
+    #[cfg(feature = "reqwest-rustls-tls")]
+    use std::sync::Arc;
 
     use anyhow::{anyhow, Context, Result};
-    #[cfg(any(feature = "reqwest-rustls-tls", feature = "reqwest-native-tls"))]
-    use once_cell::sync::Lazy;
     use reqwest::{header, Client, ClientBuilder, Proxy, Response};
     use tokio_stream::StreamExt;
     use url::Url;
 
+    #[cfg(any(feature = "reqwest-rustls-tls", feature = "reqwest-native-tls"))]
+    use once_cell::sync::Lazy;
+
+    #[cfg(feature = "reqwest-rustls-tls")]
+    use rustls::crypto::ring;
+
     use super::{DownloadError, Event, TlsBackend};
 
     pub async fn download(
@@ -353,7 +359,12 @@ pub mod reqwest_be {
     static CLIENT_RUSTLS_TLS: Lazy<Client> = Lazy::new(|| {
         let catcher = || {
             client_generic()
-                .use_rustls_tls()
+                .use_preconfigured_tls(
+                    rustls_platform_verifier::tls_config_with_provider(Arc::new(
+                        ring::default_provider(),
+                    ))
+                    .expect("failed to initialize pre-configured rustls backend"),
+                )
                 .user_agent(super::REQWEST_RUSTLS_TLS_USER_AGENT)
                 .build()
         };
