update main dependencies

tafia · Jul 21, 2023 · 1d5720d · 1d5720d
1 parent aca1e1f
commit 1d5720d
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 26 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -21,17 +21,17 @@ tower-service = "0.3"
 http = "0.2"
 futures-util = { version = "0.3", default-features = false }
 bytes = "1.0"
-hyper-tls = { version = "0.5.0", optional = true }
-tokio-native-tls = { version = "0.3.0", optional = true }
+hyper-tls = { version = "0.5", optional = true }
+tokio-native-tls = { version = "0.3", optional = true }
 native-tls = { version = "0.2", optional = true }
 openssl = { version = "0.10", optional = true }
 tokio-openssl = { version = "0.6", optional = true }
-tokio-rustls = { version = "0.22", optional = true }
-hyper-rustls = { version = "0.22", optional = true }
+tokio-rustls = { version = "0.24", optional = true }
+hyper-rustls = { version = "0.24", optional = true }
 
-webpki = { version = "0.21", optional = true }
-rustls-native-certs = { version = "0.5.0", optional = true }
-webpki-roots = { version = "0.21.0", optional = true }
+webpki = { version = "0.22", optional = true }
+rustls-native-certs = { version = "0.6", optional = true }
+webpki-roots = { version = "0.24.0", optional = true }
 headers = "0.3"
 
 [dev-dependencies]
@@ -46,4 +46,4 @@ tls = ["tokio-native-tls", "hyper-tls", "native-tls"]
 rustls-base = ["tokio-rustls", "hyper-rustls", "webpki"]
 rustls = ["rustls-base", "rustls-native-certs", "hyper-rustls/native-tokio"]
 rustls-webpki = ["rustls-base", "webpki-roots", "hyper-rustls/webpki-tokio"]
-default = ["tls"]
+default = ["rustls"]
diff --git a/src/lib.rs b/src/lib.rs
@@ -61,6 +61,8 @@ use http::header::{HeaderMap, HeaderName, HeaderValue};
 use hyper::{service::Service, Uri};
 
 use futures_util::future::TryFutureExt;
+#[cfg(feature = "rustls-base")]
+use std::convert::TryFrom;
 use std::{fmt, io, sync::Arc};
 use std::{
     future::Future,
@@ -77,15 +79,13 @@ use native_tls::TlsConnector as NativeTlsConnector;
 #[cfg(feature = "tls")]
 use tokio_native_tls::TlsConnector;
 #[cfg(feature = "rustls-base")]
-use tokio_rustls::TlsConnector;
+use tokio_rustls::{rustls::ServerName, TlsConnector};
 
 use headers::{authorization::Credentials, Authorization, HeaderMapExt, ProxyAuthorization};
 #[cfg(feature = "openssl-tls")]
 use openssl::ssl::{SslConnector as OpenSslConnector, SslMethod};
 #[cfg(feature = "openssl-tls")]
 use tokio_openssl::SslStream;
-#[cfg(feature = "rustls-base")]
-use webpki::DNSNameRef;
 
 type BoxError = Box<dyn std::error::Error + Send + Sync>;
 
@@ -288,20 +288,27 @@ impl<C> ProxyConnector<C> {
     /// Create a new secured Proxies
     #[cfg(feature = "rustls-base")]
     pub fn new(connector: C) -> Result<Self, io::Error> {
-        let mut config = tokio_rustls::rustls::ClientConfig::new();
-
+        let mut roots = tokio_rustls::rustls::RootCertStore::empty();
         #[cfg(feature = "rustls")]
-        {
-            config.root_store =
-                rustls_native_certs::load_native_certs().map_err(|(_store, io)| io)?;
+        for cert in rustls_native_certs::load_native_certs()? {
+            roots
+                .add(&tokio_rustls::rustls::Certificate(cert.0))
+                .map_err(io_err)?;
         }
 
         #[cfg(feature = "rustls-webpki")]
-        {
-            config
-                .root_store
-                .add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
-        }
+        roots.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
+            tokio_rustls::rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
+                ta.subject,
+                ta.spki,
+                ta.name_constraints,
+            )
+        }));
+
+        let config = tokio_rustls::rustls::ClientConfig::builder()
+            .with_safe_defaults()
+            .with_root_certificates(roots)
+            .with_no_client_auth();
 
         let cfg = Arc::new(config);
         let tls = TlsConnector::from(cfg);
@@ -442,7 +449,13 @@ where
         if let (Some(p), Some(host)) = (self.match_proxy(&uri), uri.host()) {
             if uri.scheme() == Some(&http::uri::Scheme::HTTPS) || p.force_connect {
                 let host = host.to_owned();
-                let port = uri.port_u16().unwrap_or(if uri.scheme() == Some(&http::uri::Scheme::HTTP) { 80 } else { 443 });
+                let port =
+                    uri.port_u16()
+                        .unwrap_or(if uri.scheme() == Some(&http::uri::Scheme::HTTP) {
+                            80
+                        } else {
+                            443
+                        });
                 let tunnel = tunnel::new(&host, port, &p.headers);
                 let connection =
                     proxy_dst(&uri, &p.uri).map(|proxy_url| self.connector.call(proxy_url));
@@ -470,11 +483,13 @@ where
 
                             #[cfg(feature = "rustls-base")]
                             Some(tls) => {
-                                let dnsref =
-                                    mtry!(DNSNameRef::try_from_ascii_str(&host).map_err(io_err));
+                                let server_name =
+                                    mtry!(ServerName::try_from(host.as_str()).map_err(io_err));
                                 let tls = TlsConnector::from(tls);
-                                let secure_stream =
-                                    mtry!(tls.connect(dnsref, tunnel_stream).await.map_err(io_err));
+                                let secure_stream = mtry!(tls
+                                    .connect(server_name, tunnel_stream)
+                                    .await
+                                    .map_err(io_err));
 
                                 Ok(ProxyStream::Secured(secure_stream))
                             }