diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/rpc_client.rs | 3 | ||||
| -rw-r--r-- | src/tls_util.rs | 58 |
2 files changed, 1 insertions, 60 deletions
diff --git a/src/rpc_client.rs b/src/rpc_client.rs index 255eb958..6f897a90 100644 --- a/src/rpc_client.rs +++ b/src/rpc_client.rs @@ -109,7 +109,6 @@ impl RpcClient { } config.set_single_client_cert([&node_certs[..], &ca_certs[..]].concat(), node_key)?; - // config.dangerous().set_certificate_verifier(Arc::new(tls_util::NoHostnameCertVerifier)); let connector = tls_util::HttpsConnectorFixedDnsname::<HttpConnector>::new(config, "garage"); @@ -143,7 +142,7 @@ impl RpcClient { let resp = tokio::time::timeout(timeout, resp_fut) .await? .map_err(|e| { - eprintln!("RPC client error: {}", e); + eprintln!("RPC HTTP client error when connecting to {}: {}", to_addr, e); e })?; diff --git a/src/tls_util.rs b/src/tls_util.rs index 5a17d380..dfc4e716 100644 --- a/src/tls_util.rs +++ b/src/tls_util.rs @@ -7,7 +7,6 @@ use core::future::Future; use futures_util::future::*; use tokio::io::{AsyncRead, AsyncWrite}; use rustls::internal::pemfile; -use rustls::*; use hyper::client::HttpConnector; use hyper::client::connect::Connection; use hyper::service::Service; @@ -60,63 +59,6 @@ pub fn load_private_key(filename: &str) -> Result<rustls::PrivateKey, Error> { } -// ---- AWFUL COPYPASTA FROM rustls/verifier.rs -// ---- USED TO ALLOW TO VERIFY SERVER CERTIFICATE VALIDITY IN CHAIN -// ---- BUT DISREGARD HOSTNAME PARAMETER - -pub struct NoHostnameCertVerifier; - -type SignatureAlgorithms = &'static [&'static webpki::SignatureAlgorithm]; -static SUPPORTED_SIG_ALGS: SignatureAlgorithms = &[ - &webpki::ECDSA_P256_SHA256, - &webpki::ECDSA_P256_SHA384, - &webpki::ECDSA_P384_SHA256, - &webpki::ECDSA_P384_SHA384, - &webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, - &webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, - &webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, - &webpki::RSA_PKCS1_2048_8192_SHA256, - &webpki::RSA_PKCS1_2048_8192_SHA384, - &webpki::RSA_PKCS1_2048_8192_SHA512, - &webpki::RSA_PKCS1_3072_8192_SHA384 -]; - -impl rustls::ServerCertVerifier for NoHostnameCertVerifier { - fn verify_server_cert(&self, - roots: &RootCertStore, - presented_certs: &[Certificate], - _dns_name: webpki::DNSNameRef, - _ocsp_response: &[u8]) -> Result<rustls::ServerCertVerified, TLSError> { - - if presented_certs.is_empty() { - return Err(TLSError::NoCertificatesPresented); - } - - let cert = webpki::EndEntityCert::from(&presented_certs[0].0) - .map_err(TLSError::WebPKIError)?; - - let chain = presented_certs.iter() - .skip(1) - .map(|cert| cert.0.as_ref()) - .collect::<Vec<_>>(); - - let trustroots: Vec<webpki::TrustAnchor> = roots.roots - .iter() - .map(|x| x.to_trust_anchor()) - .collect(); - - let now = webpki::Time::try_from(std::time::SystemTime::now()) - .map_err( |_ | TLSError::FailedToGetCurrentTime)?; - - cert.verify_is_valid_tls_server_cert(SUPPORTED_SIG_ALGS, - &webpki::TLSServerTrustAnchors(&trustroots), &chain, now) - .map_err(TLSError::WebPKIError)?; - - Ok(rustls::ServerCertVerified::assertion()) - } -} - - // ---- AWFUL COPYPASTA FROM HYPER-RUSTLS connector.rs // ---- ALWAYS USE `garage` AS HOSTNAME FOR TLS VERIFICATION |