mirrors/ntex
1
0
Fork 0
mirror of https://github.com/ntex-rs/ntex.git synced 2025-04-04 13:27:39 +03:00
Code Issues Projects Releases Packages Wiki Activity

Bump rustls to 0.20.x (#62)

Browse source 
* Update to rustls 0.20.x and apapt code to rustls breaking changes
This commit is contained in:
Andrey Voronkov 2021-11-21 07:22:50 +03:00 committed by GitHub
parent b23706e898
commit a5ecfa88f1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 147 additions and 77 deletions
Download patch file Download diff file Expand all files Collapse all files

9
ntex/CHANGES.md
View file

@ -1,5 +1,14 @@
# Changes
## [0.4.9] - 2021-11-20
* Update rustls to 0.20
* Update webpki to 0.22
* Update webpki-roots to 0.22
* Update tokio-rustls to 0.23
* Update tokio-ssl to 0.6.3
* Adapt code for rustls breaking changes
## [0.4.8] - 2021-11-08
* Add Clone impl for connect::ConnectError

17
ntex/Cargo.toml
View file

@ -1,6 +1,6 @@
[package]
name = "ntex"
version = "0.4.8"
version = "0.4.9"
authors = ["ntex contributors <team@ntex.rs>"]
description = "Framework for composable network services"
readme = "README.md"
@ -27,7 +27,7 @@ default = ["http-framework"]
openssl = ["open-ssl", "tokio-openssl"]
# rustls support
rustls = ["rust-tls", "webpki", "webpki-roots", "tokio-rustls"]
rustls = ["rust-tls", "rustls-pemfile", "tokio-rustls", "webpki", "webpki-roots"]
# enable compressison support
compress = ["flate2", "brotli2"]
@ -86,13 +86,14 @@ coo-kie = { version = "0.15", package = "cookie", optional = true }
# openssl
open-ssl = { version="0.10", package = "openssl", optional = true }
tokio-openssl = { version = "0.6.2", optional = true }
tokio-openssl = { version = "0.6.3", optional = true }
# rustls
rust-tls = { version = "0.19", package = "rustls", optional = true }
webpki = { version = "0.21", optional = true }
webpki-roots = { version = "0.21", optional = true }
tokio-rustls = { version = "0.22", optional = true }
rust-tls = { version = "0.20", package = "rustls", optional = true }
rustls-pemfile = { version = "0.2", optional = true }
tokio-rustls = { version = "0.23", optional = true }
webpki = { version = "0.22", optional = true }
webpki-roots = { version = "0.22", optional = true }
# compression
brotli2 = { version="0.3.2", optional = true }
@ -103,6 +104,6 @@ env_logger = "0.9"
rand = "0.8"
time = "0.2"
open-ssl = { version="0.10", package = "openssl" }
rust-tls = { version = "0.19", package="rustls", features = ["dangerous_configuration"] }
rust-tls = { version = "0.20", package="rustls", features = ["dangerous_configuration"] }
webpki = "0.21"
futures = "0.3.16"

32
ntex/src/connect/rustls.rs
View file

@ -1,10 +1,11 @@
use std::{future::Future, io, pin::Pin, sync::Arc, task::Context, task::Poll};
use std::{
convert::TryFrom, future::Future, io, pin::Pin, sync::Arc, task::Context, task::Poll,
};
pub use rust_tls::Session;
pub use tokio_rustls::{client::TlsStream, rustls::ClientConfig};
use rust_tls::ServerName;
use tokio_rustls::{self, TlsConnector};
use webpki::DNSNameRef;
use crate::rt::net::TcpStream;
use crate::service::{Service, ServiceFactory};
@ -45,12 +46,12 @@ impl<T: Address + 'static> RustlsConnector<T> {
let io = conn.await?;
trace!("SSL Handshake start for: {:?}", host);
let host = DNSNameRef::try_from_ascii_str(&host)
let host = ServerName::try_from(host.as_str())
.map_err(|e| io::Error::new(io::ErrorKind::Other, format!("{}", e)))?;
match TlsConnector::from(config).connect(host, io).await {
match TlsConnector::from(config).connect(host.clone(), io).await {
Ok(io) => {
trace!("SSL Handshake success: {:?}", host);
trace!("SSL Handshake success: {:?}", &host);
Ok(io)
}
Err(e) => {
@ -105,6 +106,7 @@ impl<T: Address + 'static> Service for RustlsConnector<T> {
mod tests {
use super::*;
use crate::service::{Service, ServiceFactory};
use rust_tls::{OwnedTrustAnchor, RootCertStore};
#[crate::rt_test]
async fn test_rustls_connect() {
@ -112,10 +114,20 @@ mod tests {
crate::service::fn_service(|_| async { Ok::<_, ()>(()) })
});
let mut config = ClientConfig::new();
config
.root_store
.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
let mut cert_store = RootCertStore::empty();
cert_store.add_server_trust_anchors(
webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
OwnedTrustAnchor::from_subject_spki_name_constraints(
ta.subject,
ta.spki,
ta.name_constraints,
)
}),
);
let config = ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(cert_store)
.with_no_client_auth();
let factory = RustlsConnector::new(Arc::new(config)).clone();
let srv = factory.new_service(()).await.unwrap();

26
ntex/src/http/client/connector.rs
View file

@ -84,12 +84,24 @@ impl Connector {
}
#[cfg(all(not(feature = "openssl"), feature = "rustls"))]
{
use rust_tls::{OwnedTrustAnchor, RootCertStore};
let protos = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
let mut config = ClientConfig::new();
config.set_protocols(&protos);
config
.root_store
.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
let mut cert_store = RootCertStore::empty();
cert_store.add_server_trust_anchors(
webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
OwnedTrustAnchor::from_subject_spki_name_constraints(
ta.subject,
ta.spki,
ta.name_constraints,
)
}),
);
let mut config = ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(cert_store)
.with_no_client_auth();
config.alpn_protocols = protos;
conn.rustls(Arc::new(config))
}
#[cfg(not(any(feature = "openssl", feature = "rustls")))]
@ -132,14 +144,14 @@ impl Connector {
#[cfg(feature = "rustls")]
/// Use rustls connector for secured connections.
pub fn rustls(self, connector: Arc<ClientConfig>) -> Self {
use crate::connect::rustls::{RustlsConnector, Session};
use crate::connect::rustls::RustlsConnector;
const H2: &[u8] = b"h2";
self.secure_connector(RustlsConnector::new(connector).map(|sock| {
let h2 = sock
.get_ref()
.1
.get_alpn_protocol()
.alpn_protocol()
.map(|protos| protos.windows(2).any(|w| w == H2))
.unwrap_or(false);
if h2 {

2
ntex/src/http/h2/service.rs
View file

@ -167,7 +167,7 @@ mod rustls {
InitError = S::InitError,
> {
let protos = vec!["h2".to_string().into()];
config.set_protocols(&protos);
config.alpn_protocols = protos;
pipeline_factory(
Acceptor::new(config)

6
ntex/src/http/service.rs
View file

@ -283,7 +283,7 @@ mod openssl {
#[cfg(feature = "rustls")]
mod rustls {
use super::*;
use crate::server::rustls::{Acceptor, ServerConfig, Session, TlsStream};
use crate::server::rustls::{Acceptor, ServerConfig, TlsStream};
use crate::server::SslError;
impl<S, B, X, U> HttpService<TlsStream<TcpStream>, S, B, X, U>
@ -322,7 +322,7 @@ mod rustls {
InitError = (),
> {
let protos = vec!["h2".to_string().into(), "http/1.1".to_string().into()];
config.set_protocols(&protos);
config.alpn_protocols = protos;
pipeline_factory(
Acceptor::new(config)
@ -334,7 +334,7 @@ mod rustls {
let proto = io
.get_ref()
.1
.get_alpn_protocol()
.alpn_protocol()
.and_then(|protos| {
if protos.windows(2).any(|window| window == b"h2") {
Some(Protocol::Http2)

2
ntex/src/server/rustls.rs
View file

@ -3,7 +3,7 @@ use std::{error::Error, future::Future, io, marker::PhantomData, pin::Pin, sync:
use tokio_rustls::{Accept, TlsAcceptor};
pub use rust_tls::{ServerConfig, Session};
pub use rust_tls::ServerConfig;
pub use tokio_rustls::server::TlsStream;
pub use webpki_roots::TLS_SERVER_ROOTS;

29
ntex/tests/http_awc_rustls_client.rs
View file

@ -35,17 +35,22 @@ fn ssl_acceptor() -> SslAcceptor {
}
mod danger {
use rust_tls::{Certificate, ServerName};
use std::time::SystemTime;
pub struct NoCertificateVerification {}
impl rust_tls::ServerCertVerifier for NoCertificateVerification {
impl rust_tls::client::ServerCertVerifier for NoCertificateVerification {
fn verify_server_cert(
&self,
_roots: &rust_tls::RootCertStore,
_presented_certs: &[rust_tls::Certificate],
_dns_name: webpki::DNSNameRef<'_>,
_ocsp: &[u8],
) -> Result<rust_tls::ServerCertVerified, rust_tls::TLSError> {
Ok(rust_tls::ServerCertVerified::assertion())
_end_entity: &Certificate,
_intermediates: &[Certificate],
_server_name: &ServerName,
_scts: &mut dyn Iterator<Item = &[u8]>,
_ocsp_response: &[u8],
_now: SystemTime,
) -> Result<rust_tls::client::ServerCertVerified, rust_tls::TLSError> {
Ok(rust_tls::client::ServerCertVerified::assertion())
}
}
}
@ -76,12 +81,12 @@ async fn test_connection_reuse_h2() {
});
// disable ssl verification
let mut config = ClientConfig::new();
let mut config = ClientConfig::builder()
.with_safe_defaults()
.with_custom_certificate_verifier(Arc::new(danger::NoCertificateVerification {}))
.with_no_client_auth();
let protos = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
config.set_protocols(&protos);
config
.dangerous()
.set_certificate_verifier(Arc::new(danger::NoCertificateVerification {}));
config.alpn_protocols = protos;
let client = Client::build()
.connector(Connector::default().rustls(Arc::new(config)).finish())

23
ntex/tests/http_rustls.rs
View file

@ -4,10 +4,8 @@ use std::io::{self, BufReader};
use futures::future::{self, err, ok};
use futures::stream::{once, Stream, StreamExt};
use rust_tls::{
internal::pemfile::{certs, pkcs8_private_keys},
NoClientAuth, ServerConfig as RustlsServerConfig,
};
use rust_tls::{Certificate, PrivateKey, ServerConfig as RustlsServerConfig};
use rustls_pemfile::{certs, pkcs8_private_keys};
use ntex::http::error::PayloadError;
use ntex::http::header::{self, HeaderName, HeaderValue};
@ -30,13 +28,20 @@ where
fn ssl_acceptor() -> RustlsServerConfig {
// load ssl keys
let mut config = RustlsServerConfig::new(NoClientAuth::new());
let cert_file = &mut BufReader::new(File::open("./tests/cert.pem").unwrap());
let key_file = &mut BufReader::new(File::open("./tests/key.pem").unwrap());
let cert_chain = certs(cert_file).unwrap();
let mut keys = pkcs8_private_keys(key_file).unwrap();
config.set_single_cert(cert_chain, keys.remove(0)).unwrap();
config
let cert_chain = certs(cert_file)
.unwrap()
.iter()
.map(|c| Certificate(c.to_vec()))
.collect();
let keys = PrivateKey(pkcs8_private_keys(key_file).unwrap().remove(0));
RustlsServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth()
.with_single_cert(cert_chain, keys)
.unwrap()
}
#[ntex::test]

21
ntex/tests/web_httpserver.rs
View file

@ -150,10 +150,8 @@ async fn test_rustls() {
use std::io::BufReader;
use ntex::web::HttpRequest;
use rust_tls::{
internal::pemfile::{certs, pkcs8_private_keys},
NoClientAuth, ServerConfig as RustlsServerConfig,
};
use rust_tls::{Certificate, PrivateKey, ServerConfig as RustlsServerConfig};
use rustls_pemfile::{certs, pkcs8_private_keys};
let addr = TestServer::unused_addr();
let (tx, rx) = mpsc::channel();
@ -162,12 +160,19 @@ async fn test_rustls() {
let mut sys = ntex::rt::System::new("test");
// load ssl keys
let mut config = RustlsServerConfig::new(NoClientAuth::new());
let cert_file = &mut BufReader::new(File::open("./tests/cert.pem").unwrap());
let key_file = &mut BufReader::new(File::open("./tests/key.pem").unwrap());
let cert_chain = certs(cert_file).unwrap();
let mut keys = pkcs8_private_keys(key_file).unwrap();
config.set_single_cert(cert_chain, keys.remove(0)).unwrap();
let cert_chain = certs(cert_file)
.unwrap()
.iter()
.map(|c| Certificate(c.to_vec()))
.collect();
let keys = PrivateKey(pkcs8_private_keys(key_file).unwrap().remove(0));
let config = RustlsServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth()
.with_single_cert(cert_chain, keys)
.unwrap();
let srv = sys.exec(|| {
HttpServer::new(|| {

57
ntex/tests/web_server.rs
View file

@ -847,8 +847,8 @@ async fn test_brotli_encoding_large_openssl_h2() {
#[cfg(all(feature = "rustls", feature = "openssl"))]
#[ntex::test]
async fn test_reading_deflate_encoding_large_random_rustls() {
use rust_tls::internal::pemfile::{certs, pkcs8_private_keys};
use rust_tls::{NoClientAuth, ServerConfig};
use rust_tls::{Certificate, PrivateKey, ServerConfig};
use rustls_pemfile::{certs, pkcs8_private_keys};
use std::fs::File;
use std::io::BufReader;
@ -859,12 +859,19 @@ async fn test_reading_deflate_encoding_large_random_rustls() {
.collect::<String>();
// load ssl keys
let mut config = ServerConfig::new(NoClientAuth::new());
let cert_file = &mut BufReader::new(File::open("tests/cert.pem").unwrap());
let key_file = &mut BufReader::new(File::open("tests/key.pem").unwrap());
let cert_chain = certs(cert_file).unwrap();
let mut keys = pkcs8_private_keys(key_file).unwrap();
config.set_single_cert(cert_chain, keys.remove(0)).unwrap();
let cert_chain = certs(cert_file)
.unwrap()
.iter()
.map(|c| Certificate(c.to_vec()))
.collect();
let keys = PrivateKey(pkcs8_private_keys(key_file).unwrap().remove(0));
let config = ServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth()
.with_single_cert(cert_chain, keys)
.unwrap();
let srv = test::server_with(test::config().rustls(config), || {
App::new().service(web::resource("/").route(web::to(|bytes: Bytes| async {
@ -898,8 +905,8 @@ async fn test_reading_deflate_encoding_large_random_rustls() {
#[cfg(all(feature = "rustls", feature = "openssl"))]
#[ntex::test]
async fn test_reading_deflate_encoding_large_random_rustls_h1() {
use rust_tls::internal::pemfile::{certs, pkcs8_private_keys};
use rust_tls::{NoClientAuth, ServerConfig};
use rust_tls::{Certificate, PrivateKey, ServerConfig};
use rustls_pemfile::{certs, pkcs8_private_keys};
use std::fs::File;
use std::io::BufReader;
@ -910,12 +917,19 @@ async fn test_reading_deflate_encoding_large_random_rustls_h1() {
.collect::<String>();
// load ssl keys
let mut config = ServerConfig::new(NoClientAuth::new());
let cert_file = &mut BufReader::new(File::open("tests/cert.pem").unwrap());
let key_file = &mut BufReader::new(File::open("tests/key.pem").unwrap());
let cert_chain = certs(cert_file).unwrap();
let mut keys = pkcs8_private_keys(key_file).unwrap();
config.set_single_cert(cert_chain, keys.remove(0)).unwrap();
let cert_chain = certs(cert_file)
.unwrap()
.iter()
.map(|c| Certificate(c.to_vec()))
.collect();
let keys = PrivateKey(pkcs8_private_keys(key_file).unwrap().remove(0));
let config = ServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth()
.with_single_cert(cert_chain, keys)
.unwrap();
let srv = test::server_with(test::config().rustls(config).h1(), || {
App::new().service(web::resource("/").route(web::to(|bytes: Bytes| async {
@ -949,8 +963,8 @@ async fn test_reading_deflate_encoding_large_random_rustls_h1() {
#[cfg(all(feature = "rustls", feature = "openssl"))]
#[ntex::test]
async fn test_reading_deflate_encoding_large_random_rustls_h2() {
use rust_tls::internal::pemfile::{certs, pkcs8_private_keys};
use rust_tls::{NoClientAuth, ServerConfig};
use rust_tls::{Certificate, PrivateKey, ServerConfig};
use rustls_pemfile::{certs, pkcs8_private_keys};
use std::fs::File;
use std::io::BufReader;
@ -961,12 +975,19 @@ async fn test_reading_deflate_encoding_large_random_rustls_h2() {
.collect::<String>();
// load ssl keys
let mut config = ServerConfig::new(NoClientAuth::new());
let cert_file = &mut BufReader::new(File::open("tests/cert.pem").unwrap());
let key_file = &mut BufReader::new(File::open("tests/key.pem").unwrap());
let cert_chain = certs(cert_file).unwrap();
let mut keys = pkcs8_private_keys(key_file).unwrap();
config.set_single_cert(cert_chain, keys.remove(0)).unwrap();
let cert_chain = certs(cert_file)
.unwrap()
.iter()
.map(|c| Certificate(c.to_vec()))
.collect();
let keys = PrivateKey(pkcs8_private_keys(key_file).unwrap().remove(0));
let config = ServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth()
.with_single_cert(cert_chain, keys)
.unwrap();
let srv = test::server_with(test::config().rustls(config).h2(), || {
App::new().service(web::resource("/").route(web::to(|bytes: Bytes| async {