Description: avoid not-in-Debian crate webpki-roots
Author: Jonas Smedegaard <dr@jones.dk>
Forwarded: not-needed
Last-Update: 2025-02-24
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -41,7 +41,7 @@
 tokio = { version = "1.23", features = ["net", "io-util", "time"]}
 rustls = { version = "0.23", default-features = false, features = ["std"]}
 tokio-rustls = { version = "0.26", default-features = false }
-webpki-roots = { version = "0.26"}
+rustls-platform-verifier = "0.5"
 rustls-pki-types = { version = "1" }
 gethostname = { version = ">= 0.4.3, <= 0.5"}
 
--- a/src/smtp/tls.rs
+++ b/src/smtp/tls.rs
@@ -12,9 +12,10 @@
 
 use rustls::{
     client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
-    ClientConfig, ClientConnection, RootCertStore, SignatureScheme,
+    ClientConfig, ClientConnection, SignatureScheme,
 };
-use rustls_pki_types::{ServerName, TrustAnchor};
+use rustls_pki_types::ServerName;
+use rustls_platform_verifier::BuilderVerifierExt;
 use tokio::net::TcpStream;
 use tokio_rustls::{client::TlsStream, TlsConnector};
 
@@ -79,16 +80,8 @@
 
 pub fn build_tls_connector(allow_invalid_certs: bool) -> TlsConnector {
     let config = if !allow_invalid_certs {
-        let mut root_cert_store = RootCertStore::empty();
-
-        root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| TrustAnchor {
-            subject: ta.subject.clone(),
-            subject_public_key_info: ta.subject_public_key_info.clone(),
-            name_constraints: ta.name_constraints.clone(),
-        }));
-
         ClientConfig::builder()
-            .with_root_certificates(root_cert_store)
+            .with_platform_verifier()
             .with_no_client_auth()
     } else {
         ClientConfig::builder()