aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2020-04-12 19:18:31 +0200
committerAlex Auvolat <alex@adnab.me>2020-04-12 19:18:31 +0200
commitc788fc9f9e2c9128ea0dd5f28c1bafe8ba3b369c (patch)
tree30c9e34b979bd8d38ef93e8371a4fea087556e72 /src
parentd2814b5c3374f8b99a81dbb9fa3614c875cfc5e6 (diff)
downloadgarage-c788fc9f9e2c9128ea0dd5f28c1bafe8ba3b369c.tar.gz
garage-c788fc9f9e2c9128ea0dd5f28c1bafe8ba3b369c.zip
Cleanup
Diffstat (limited to 'src')
-rw-r--r--src/rpc_client.rs3
-rw-r--r--src/tls_util.rs58
2 files changed, 1 insertions, 60 deletions
diff --git a/src/rpc_client.rs b/src/rpc_client.rs
index 255eb958..6f897a90 100644
--- a/src/rpc_client.rs
+++ b/src/rpc_client.rs
@@ -109,7 +109,6 @@ impl RpcClient {
}
config.set_single_client_cert([&node_certs[..], &ca_certs[..]].concat(), node_key)?;
- // config.dangerous().set_certificate_verifier(Arc::new(tls_util::NoHostnameCertVerifier));
let connector =
tls_util::HttpsConnectorFixedDnsname::<HttpConnector>::new(config, "garage");
@@ -143,7 +142,7 @@ impl RpcClient {
let resp = tokio::time::timeout(timeout, resp_fut)
.await?
.map_err(|e| {
- eprintln!("RPC client error: {}", e);
+ eprintln!("RPC HTTP client error when connecting to {}: {}", to_addr, e);
e
})?;
diff --git a/src/tls_util.rs b/src/tls_util.rs
index 5a17d380..dfc4e716 100644
--- a/src/tls_util.rs
+++ b/src/tls_util.rs
@@ -7,7 +7,6 @@ use core::future::Future;
use futures_util::future::*;
use tokio::io::{AsyncRead, AsyncWrite};
use rustls::internal::pemfile;
-use rustls::*;
use hyper::client::HttpConnector;
use hyper::client::connect::Connection;
use hyper::service::Service;
@@ -60,63 +59,6 @@ pub fn load_private_key(filename: &str) -> Result<rustls::PrivateKey, Error> {
}
-// ---- AWFUL COPYPASTA FROM rustls/verifier.rs
-// ---- USED TO ALLOW TO VERIFY SERVER CERTIFICATE VALIDITY IN CHAIN
-// ---- BUT DISREGARD HOSTNAME PARAMETER
-
-pub struct NoHostnameCertVerifier;
-
-type SignatureAlgorithms = &'static [&'static webpki::SignatureAlgorithm];
-static SUPPORTED_SIG_ALGS: SignatureAlgorithms = &[
- &webpki::ECDSA_P256_SHA256,
- &webpki::ECDSA_P256_SHA384,
- &webpki::ECDSA_P384_SHA256,
- &webpki::ECDSA_P384_SHA384,
- &webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
- &webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
- &webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
- &webpki::RSA_PKCS1_2048_8192_SHA256,
- &webpki::RSA_PKCS1_2048_8192_SHA384,
- &webpki::RSA_PKCS1_2048_8192_SHA512,
- &webpki::RSA_PKCS1_3072_8192_SHA384
-];
-
-impl rustls::ServerCertVerifier for NoHostnameCertVerifier {
- fn verify_server_cert(&self,
- roots: &RootCertStore,
- presented_certs: &[Certificate],
- _dns_name: webpki::DNSNameRef,
- _ocsp_response: &[u8]) -> Result<rustls::ServerCertVerified, TLSError> {
-
- if presented_certs.is_empty() {
- return Err(TLSError::NoCertificatesPresented);
- }
-
- let cert = webpki::EndEntityCert::from(&presented_certs[0].0)
- .map_err(TLSError::WebPKIError)?;
-
- let chain = presented_certs.iter()
- .skip(1)
- .map(|cert| cert.0.as_ref())
- .collect::<Vec<_>>();
-
- let trustroots: Vec<webpki::TrustAnchor> = roots.roots
- .iter()
- .map(|x| x.to_trust_anchor())
- .collect();
-
- let now = webpki::Time::try_from(std::time::SystemTime::now())
- .map_err( |_ | TLSError::FailedToGetCurrentTime)?;
-
- cert.verify_is_valid_tls_server_cert(SUPPORTED_SIG_ALGS,
- &webpki::TLSServerTrustAnchors(&trustroots), &chain, now)
- .map_err(TLSError::WebPKIError)?;
-
- Ok(rustls::ServerCertVerified::assertion())
- }
-}
-
-
// ---- AWFUL COPYPASTA FROM HYPER-RUSTLS connector.rs
// ---- ALWAYS USE `garage` AS HOSTNAME FOR TLS VERIFICATION