[proxy] Update rustls (#1510)

2026-01-07 13:32:57 +00:00 · 2022-04-15 12:06:25 +03:00
parent e97f94cc30
commit c9d897f9b6
4 changed files with 46 additions and 40 deletions
--- a/proxy/src/config.rs
+++ b/proxy/src/config.rs
@@ -1,10 +1,9 @@
-use anyhow::{anyhow, bail, ensure, Context};
-use rustls::{internal::pemfile, NoClientAuth, ProtocolVersion, ServerConfig};
+use anyhow::{bail, ensure, Context};
 use std::net::SocketAddr;
 use std::str::FromStr;
 use std::sync::Arc;

-pub type TlsConfig = Arc<ServerConfig>;
+pub type TlsConfig = Arc<rustls::ServerConfig>;

 #[non_exhaustive]
 pub enum ClientAuthMethod {
@@ -61,21 +60,28 @@ pub struct ProxyConfig {
 pub fn configure_ssl(key_path: &str, cert_path: &str) -> anyhow::Result<TlsConfig> {
    let key = {
        let key_bytes = std::fs::read(key_path).context("SSL key file")?;
-        let mut keys = pemfile::pkcs8_private_keys(&mut &key_bytes[..])
-            .map_err(|_| anyhow!("couldn't read TLS keys"))?;
+        let mut keys = rustls_pemfile::pkcs8_private_keys(&mut &key_bytes[..])
+            .context("couldn't read TLS keys")?;
+
        ensure!(keys.len() == 1, "keys.len() = {} (should be 1)", keys.len());
-        keys.pop().unwrap()
+        keys.pop().map(rustls::PrivateKey).unwrap()
    };

    let cert_chain = {
        let cert_chain_bytes = std::fs::read(cert_path).context("SSL cert file")?;
-        pemfile::certs(&mut &cert_chain_bytes[..])
-            .map_err(|_| anyhow!("couldn't read TLS certificates"))?
+        rustls_pemfile::certs(&mut &cert_chain_bytes[..])
+            .context("couldn't read TLS certificate chain")?
+            .into_iter()
+            .map(rustls::Certificate)
+            .collect()
    };

-    let mut config = ServerConfig::new(NoClientAuth::new());
-    config.set_single_cert(cert_chain, key)?;
-    config.versions = vec![ProtocolVersion::TLSv1_3];
+    let config = rustls::ServerConfig::builder()
+        .with_safe_default_cipher_suites()
+        .with_safe_default_kx_groups()
+        .with_protocol_versions(&[&rustls::version::TLS13])?
+        .with_no_client_auth()
+        .with_single_cert(cert_chain, key)?;

    Ok(config.into())
 }
--- a/proxy/src/proxy.rs
+++ b/proxy/src/proxy.rs
@@ -265,14 +265,24 @@ mod tests {
        let (ca, cert, key) = generate_certs(hostname)?;

        let server_config = {
-            let mut config = rustls::ServerConfig::new(rustls::NoClientAuth::new());
-            config.set_single_cert(vec![cert], key)?;
+            let config = rustls::ServerConfig::builder()
+                .with_safe_defaults()
+                .with_no_client_auth()
+                .with_single_cert(vec![cert], key)?;
+
            config.into()
        };

        let client_config = {
-            let mut config = rustls::ClientConfig::new();
-            config.root_store.add(&ca)?;
+            let config = rustls::ClientConfig::builder()
+                .with_safe_defaults()
+                .with_root_certificates({
+                    let mut store = rustls::RootCertStore::empty();
+                    store.add(&ca)?;
+                    store
+                })
+                .with_no_client_auth();
+
            ClientConfig { config, hostname }
        };