diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 74fbae5ee0..904fe925b9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -127,6 +127,8 @@ jobs: features: "--no-default-features" - name: "feat.: rustls-tls" features: "--no-default-features --features rustls-tls" + - name: "feat.: rustls-tls-platform-verifier" + features: "--no-default-features --features rustls-tls-platform-verifier" - name: "feat.: rustls-tls-manual-roots" features: "--no-default-features --features rustls-tls-manual-roots" - name: "feat.: rustls-tls-native-roots" diff --git a/Cargo.toml b/Cargo.toml index 10a0e88151..68cb104a10 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -42,6 +42,7 @@ native-tls-vendored = ["native-tls", "native-tls-crate?/vendored"] rustls-tls = ["rustls-tls-webpki-roots"] rustls-tls-manual-roots = ["__rustls"] +rustls-tls-platform-verifier = ["dep:rustls-platform-verifier", "__rustls"] rustls-tls-webpki-roots = ["dep:webpki-roots", "__rustls"] rustls-tls-native-roots = ["dep:rustls-native-certs", "__rustls"] @@ -140,6 +141,7 @@ rustls-pki-types = { version = "1.1.0", features = ["alloc"] ,optional = true } tokio-rustls = { version = "0.25", optional = true } webpki-roots = { version = "0.26.0", optional = true } rustls-native-certs = { version = "0.7", optional = true } +rustls-platform-verifier = { version = "0.2", optional = true } ## cookies cookie_crate = { version = "0.18.0", package = "cookie", optional = true } diff --git a/src/async_impl/client.rs b/src/async_impl/client.rs index 22519f5350..413fb46ac7 100644 --- a/src/async_impl/client.rs +++ b/src/async_impl/client.rs @@ -565,10 +565,21 @@ impl ClientBuilder { return Err(crate::error::builder("empty supported tls versions")); } + #[cfg(feature = "rustls-tls-platform-verifier")] + let verifier = Arc::new(rustls_platform_verifier::Verifier::new()); + #[cfg(not(feature = "rustls-tls-platform-verifier"))] + let verifier = + rustls::client::WebPkiServerVerifier::builder(Arc::new(root_cert_store)) + .build() + .map_err(|_| { + crate::error::builder("no trust anchors have been provided") + })?; + // Build TLS config let config_builder = rustls::ClientConfig::builder_with_protocol_versions(&versions) - .with_root_certificates(root_cert_store); + .dangerous() + .with_custom_certificate_verifier(verifier); // Finalize TLS config let mut tls = if let Some(id) = config.identity { diff --git a/src/lib.rs b/src/lib.rs index d62cb82109..25536ee438 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -192,6 +192,8 @@ //! while using root certificates from the `webpki-roots` crate. //! - **rustls-tls-native-roots**: Enables TLS functionality provided by `rustls`, //! while using root certificates from the `rustls-native-certs` crate. +//! - **rustls-tls-platform-verifier**: Enables TLS functionality provided by `rustls`, +//! while using the platform's native certificate verifier. //! - **blocking**: Provides the [blocking][] client API. //! - **charset** *(enabled by default)*: Improved support for decoding text. //! - **cookies**: Provides cookie session support. diff --git a/tests/badssl.rs b/tests/badssl.rs index 9b001d0700..73cd2b0396 100644 --- a/tests/badssl.rs +++ b/tests/badssl.rs @@ -59,14 +59,21 @@ async fn test_badssl_self_signed() { assert!(text.contains("self-signed.badssl.com")); } -#[cfg(feature = "__tls")] +#[cfg(all(feature = "__tls", not(feature = "rustls-tls-platform-verifier")))] #[tokio::test] async fn test_badssl_no_built_in_roots() { let result = reqwest::Client::builder() .tls_built_in_root_certs(false) .no_proxy() - .build() - .unwrap() + .build(); + + // Some configurations will fail to build a client without roots + let client = match result { + Ok(client) => client, + Err(_) => return, + }; + + let result = client .get("https://mozilla-modern.badssl.com/") .send() .await;