feat(download/rustls): use rustls-platform-verifier

rami3l · rami3l · commit c556448fd33b · 2024-06-25T15:52:13.000+08:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/download/Cargo.toml b/download/Cargo.toml
@@ -9,14 +9,21 @@ default = ["reqwest-backend", "reqwest-rustls-tls", "reqwest-native-tls"]
 curl-backend = ["curl"]
 reqwest-backend = ["reqwest", "env_proxy"]
 reqwest-native-tls = ["reqwest/native-tls", "dep:once_cell"]
-reqwest-rustls-tls = ["reqwest/rustls-tls-native-roots", "dep:once_cell"]
+reqwest-rustls-tls = [
+  "reqwest/rustls-tls-manual-roots-no-provider",
+  "dep:rustls",
+  "dep:rustls-platform-verifier",
+  "dep:once_cell",
+]
 
 [dependencies]
 anyhow.workspace = true
 curl = { version = "0.4.44", optional = true }
 env_proxy = { version = "0.4.1", optional = true }
 once_cell = { workspace = true, optional = true }
 reqwest = { version = "0.12", default-features = false, features = ["blocking", "gzip", "socks", "stream"], optional = true }
+rustls = { version = "0.23", optional = true, default-features = false, features = ["logging", "ring", "tls12"] }
+rustls-platform-verifier = { version = "0.3", optional = true }
 thiserror.workspace = true
 tokio = { workspace = true, default-features = false, features = ["sync"] }
 tokio-stream.workspace = true
diff --git a/download/src/lib.rs b/download/src/lib.rs
@@ -294,12 +294,16 @@ pub mod reqwest_be {
     compile_error!("Must select a reqwest TLS backend");
 
     use std::io;
+    #[cfg(feature = "reqwest-rustls-tls")]
+    use std::sync::Arc;
     use std::time::Duration;
 
     use anyhow::{anyhow, Context, Result};
     #[cfg(any(feature = "reqwest-rustls-tls", feature = "reqwest-native-tls"))]
     use once_cell::sync::Lazy;
     use reqwest::{header, Client, ClientBuilder, Proxy, Response};
+    #[cfg(feature = "reqwest-rustls-tls")]
+    use rustls::crypto::ring;
     use tokio_stream::StreamExt;
     use url::Url;
 
@@ -353,7 +357,12 @@ pub mod reqwest_be {
     static CLIENT_RUSTLS_TLS: Lazy<Client> = Lazy::new(|| {
         let catcher = || {
             client_generic()
-                .use_rustls_tls()
+                .use_preconfigured_tls(
+                    rustls_platform_verifier::tls_config_with_provider(Arc::new(
+                        ring::default_provider(),
+                    ))
+                    .expect("failed to initialize pre-configured rustls backend"),
+                )
                 .user_agent(super::REQWEST_RUSTLS_TLS_USER_AGENT)
                 .build()
         };
