GithubHelp home page GithubHelp logo

Comments (12)

cpu avatar cpu commented on May 30, 2024 1

i can't find ClientConfig::builder().with_custom_certificate_verifier()

You'll want to use ClientConfig::builder().dangerous() to access a DangerousClientConfigBuilder and then with_custom_certificate_verifier().

This is mentioned in the release notes under:

Moved
...
DangerousClientConfig (client::danger)
...
Added
...
DangerousClientConfigBuilder (client::danger)

The tlsclient-mio.rs example in the repository uses a custom certificate verifier with flag_insecure and has been updated to 0.22. I recommend using it as an example to reference.

from rustls.

zhuxiujia avatar zhuxiujia commented on May 30, 2024 1

i can't find ClientConfig::builder().with_custom_certificate_verifier()

You'll want to use ClientConfig::builder().dangerours() to access a DangerousClientConfigBuilder and then with_custom_certificate_verifier().

This is mentioned in the release notes under:

Moved
...
DangerousClientConfig (client::danger)
...
Added
...
DangerousClientConfigBuilder (client::danger)

The tlsclient-mio.rs example in the repository uses a custom certificate verifier with flag_insecure and has been updated to 0.22. I recommend using it as an example to reference.

Thank you for your reply. Let me take a look at these examples first

from rustls.

nyurik avatar nyurik commented on May 30, 2024 1

Thanks, this code really helped me in my upgrade in https://github.com/maplibre/martin/pull/1136/files -- I created an issue #1749 to improve upgrade documentation

from rustls.

djc avatar djc commented on May 30, 2024

Please provide the compiler error you ran into and/or a much smaller code sample.

from rustls.

zhuxiujia avatar zhuxiujia commented on May 30, 2024

Please provide the compiler error you ran into and/or a much smaller code sample.

Thank you for your reply,Sorry, I'm not very familiar with how to use the new version of Rustls。

you can check in my project
(this is use tokio-rustls = version= "0.24.0" and rustls = version = "0.21.0")
https://github.com/rbatis/rbatis/blob/master/rbdc/src/net/tls/rustls.rs

when update to

tokio-rustls = {version= "0.25.0", optional = true}
rustls = { version = "0.22.1", features = [], optional = true }

after my error is

error[E0432]: unresolved imports `rustls::client::ServerCertVerified`, `rustls::client::ServerCertVerifier`, `rustls::client::WebPkiVerifier`, `rustls::OwnedTrustAnchor`, `rustls::ServerName`
 --> rbdc\src\net\tls\rustls.rs:3:14
  |
3 |     client::{ServerCertVerified, ServerCertVerifier, WebPkiVerifier},
  |              ^^^^^^^^^^^^^^^^^^  ^^^^^^^^^^^^^^^^^^  ^^^^^^^^^^^^^^ no `WebPkiVerifier` in `client`
  |              |                   |
  |              |                   no `ServerCertVerifier` in `client`
  |              no `ServerCertVerified` in `client`
4 |     CertificateError, ClientConfig, Error as TlsError, OwnedTrustAnchor, RootCertStore, ServerName,
  |                                                        ^^^^^^^^^^^^^^^^                 ^^^^^^^^^^ no `ServerName` in the root
  |                                                        |
  |                                                        no `OwnedTrustAnchor` in the root
  |
  = help: consider importing this struct instead:
          rustls::client::danger::ServerCertVerified
  = help: consider importing this trait instead:
          rustls::client::danger::ServerCertVerifier
  = help: consider importing one of these items instead:
          rustls::internal::msgs::handshake::ClientExtension::ServerName
          rustls::pki_types::ServerName

and then i change code to


use rustls::client::danger::ServerCertVerified;
use rustls::client::danger::ServerCertVerifier;
use rustls::pki_types::ServerName;

this is also error of

error[E0432]: unresolved imports `rustls::client::WebPkiVerifier`, `rustls::OwnedTrustAnchor`, `rustls::ServerName`
 --> rbdc\src\net\tls\rustls.rs:8:15
  |
8 |     client::{ WebPkiVerifier},
  |               ^^^^^^^^^^^^^^ no `WebPkiVerifier` in `client`
9 |     CertificateError, ClientConfig, Error as TlsError, OwnedTrustAnchor, RootCertStore, ServerName,
  |                                                        ^^^^^^^^^^^^^^^^                 ^^^^^^^^^^ no `ServerName` in the root
  |                                                        |
  |                                                        no `OwnedTrustAnchor` in the root
  |
  = help: consider importing one of these items instead:
          rustls::internal::msgs::handshake::ClientExtension::ServerName
          rustls::pki_types::ServerName

from rustls.

cpu avatar cpu commented on May 30, 2024

Have you reviewed the 0.22 release notes? They are fairly detailed and will hopefully help you find replacements for each of the removed/renamed items that are causing you build errors.

no OwnedTrustAnchor in the root

For example, this item is covered in the release notes:

OwnedTrustAnchor - use rustls_pki_types::TrustAnchor instead, and replace from_subject_spki_name_constraints with direct assignment to the struct fields.

from rustls.

zhuxiujia avatar zhuxiujia commented on May 30, 2024

Have you reviewed the 0.22 release notes? They are fairly detailed and will hopefully help you find replacements for each of the removed/renamed items that are causing you build errors.

no OwnedTrustAnchor in the root

For example, this item is covered in the release notes:

OwnedTrustAnchor - use rustls_pki_types::TrustAnchor instead, and replace from_subject_spki_name_constraints with direct assignment to the struct fields.

thank you,
i change the code It still reports an error

Updated code: 
use crate::net::CertificateInput;

use rustls::client::danger::ServerCertVerified;
use rustls::client::danger::ServerCertVerifier;
use rustls::pki_types::ServerName;

use rustls::client::WebPkiServerVerifier as WebPkiVerifier;
use rustls::{CertificateError, ClientConfig, Error as TlsError, RootCertStore, };
use rustls_pki_types::TrustAnchor as OwnedTrustAnchor;
use rustls_pki_types::CertificateDer as Certificate;
use std::io::Cursor;
use std::sync::Arc;
use std::time::SystemTime;

use crate::Error;

pub async fn configure_tls_connector(
    accept_invalid_certs: bool,
    accept_invalid_hostnames: bool,
    root_cert_path: Option<&CertificateInput>,
) -> Result<crate::rt::TlsConnector, Error> {
    let config = ClientConfig::builder().with_safe_defaults();

    let config = if accept_invalid_certs {
        config
            .with_custom_certificate_verifier(Arc::new(DummyTlsVerifier))
            .with_no_client_auth()
    } else {
        let mut cert_store = RootCertStore::empty();
        cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
            OwnedTrustAnchor::from_subject_spki_name_constraints(
                ta.subject.to_vec(),
                ta.subject_public_key_info.to_vec(),
                ta.name_constraints.clone().map(|v| v.to_vec()),
            )
        }));

        if let Some(ca) = root_cert_path {
            let data = ca.data().await?;
            let mut cursor = Cursor::new(data);

            for cert_result in rustls_pemfile::certs(&mut cursor)
            {
                let cert = cert_result.map_err(|_| Error::E(format!("Invalid certificate {}", ca)))?;
                cert_store
                    .add(cert)
                    .map_err(|err| Error::E(err.to_string()))?;
            }
        }

        if accept_invalid_hostnames {
            let verifier = WebPkiVerifier::builder(Arc::new(cert_store))
                .build()
                .map_err(|e| crate::error::Error::E(e.to_string()))?;

            config
                .with_custom_certificate_verifier(Arc::new(NoHostnameTlsVerifier { verifier }))
                .with_no_client_auth()
        } else {
            config
                .with_root_certificates(cert_store)
                .with_no_client_auth()
        }
    };

    Ok(Arc::new(config).into())
}

#[derive(Debug)]
struct DummyTlsVerifier;

impl ServerCertVerifier for DummyTlsVerifier {
    fn verify_server_cert(
        &self,
        _end_entity: &Certificate,
        _intermediates: &[Certificate],
        _server_name: &ServerName,
        _scts: &mut dyn Iterator<Item=&[u8]>,
        _ocsp_response: &[u8],
        _now: SystemTime,
    ) -> Result<ServerCertVerified, TlsError> {
        Ok(ServerCertVerified::assertion())
    }
}

#[derive(Debug)]
pub struct NoHostnameTlsVerifier {
    verifier: WebPkiVerifier,
}

impl ServerCertVerifier for NoHostnameTlsVerifier {
    fn verify_server_cert(
        &self,
        end_entity: &Certificate,
        intermediates: &[Certificate],
        server_name: &ServerName,
        scts: &mut dyn Iterator<Item=&[u8]>,
        ocsp_response: &[u8],
        now: SystemTime,
    ) -> Result<ServerCertVerified, TlsError> {
        match self.verifier.verify_server_cert(
            end_entity,
            intermediates,
            server_name,
            scts,
            ocsp_response,
            now,
        ) {
            Err(TlsError::InvalidCertificate(reason))
            if reason == CertificateError::NotValidForName =>
                {
                    Ok(ServerCertVerified::assertion())
                }
            res => res,
        }
    }
}

from rustls.

cpu avatar cpu commented on May 30, 2024

i change the code It still reports an error

What is the error? What have you tried to fix the error?

from rustls.

zhuxiujia avatar zhuxiujia commented on May 30, 2024

i change the code It still reports an error

What is the error? What have you tried to fix the error?

i can't find ClientConfig::builder().with_custom_certificate_verifier()

from rustls.

cpu avatar cpu commented on May 30, 2024

I'm going to close this issue to keep our tracker tidy but if you run into further issues we can continue the discussion.

from rustls.

zhuxiujia avatar zhuxiujia commented on May 30, 2024

I'm going to close this issue to keep our tracker tidy but if you run into further issues we can continue the discussion.

finally, i change the code success(It seems to have been compiled successfully). Do you have any suggestions or mistakes regarding my modified code?
see this code
https://github.com/rbatis/rbatis/blob/master/rbdc/src/net/tls/rustls.rs

from rustls.

cpu avatar cpu commented on May 30, 2024

finally, i change the code success(It seems to have been compiled successfully).

Great, glad to hear.

Do you have any suggestions or mistakes regarding my modified code?

Nope! Looks good to me :-)

from rustls.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.