Description: use older branch of crates rustls rustls-native-certs webpki-roots
 This essentially reverts upstream git commits fdad48c 297052e 846950b.
Author: Jonas Smedegaard <dr@jones.dk>
Forwarded: not-needed
Last-Update: 2024-09-16
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -17,11 +17,9 @@
 flate2 = { version = "1", optional = true }
 httparse = "1.8"
 native-tls = { version = "0.2.11", optional = true }
-rustls = { version = "0.23.16", optional = true, default-features = false, features = ["std", "tls12"] }
-rustls-native-certs = { version = "0.8", optional = true }
-rustls-pki-types = { version = "1.10", optional = true }
-rustls-platform-verifier = { version = "0.5", optional = true }
-webpki-roots = { version = "0.26", optional = true }
+rustls = { version = "0.21.7", optional = true }
+rustls-native-certs = { version = "0.6.3", optional = true }
+webpki-roots = { version = "0.25", optional = true }
 url = "2.4"
 
 [dev-dependencies]
@@ -29,12 +27,12 @@
 
 [features]
 default = ["client", "server"]
-rustls-ring-platform-verifier = ["rustls/ring", "rustls-pki-types", "rustls-platform-verifier"]
-rustls-ring-native = ["rustls/ring", "rustls-native-certs", "rustls-pki-types"]
-rustls-ring-webpki = ["rustls/ring", "rustls-pki-types", "webpki-roots"]
-rustls-aws-lc-platform-verifier = ["rustls/aws_lc_rs", "rustls-pki-types", "rustls-platform-verifier"]
-rustls-aws-lc-native = ["rustls/aws_lc_rs", "rustls-native-certs", "rustls-pki-types"]
-rustls-aws-lc-webpki = ["rustls/aws_lc_rs", "rustls-pki-types", "webpki-roots"]
+rustls-ring-platform-verifier = []
+rustls-ring-native = ["rustls", "rustls-native-certs"]
+rustls-ring-webpki = ["rustls", "webpki-roots"]
+rustls-aws-lc-platform-verifier = []
+rustls-aws-lc-native = []
+rustls-aws-lc-webpki = []
 client = []
 server = []
 
--- a/src/client.rs
+++ b/src/client.rs
@@ -7,6 +7,8 @@
 use crate::utils::{invalid_data_error, invalid_input_error};
 #[cfg(feature = "native-tls")]
 use native_tls::TlsConnector;
+#[cfg(all(feature = "rustls", feature = "webpki-roots"))]
+use rustls::OwnedTrustAnchor;
 #[cfg(all(
     feature = "rustls",
     not(feature = "native-tls"),
@@ -14,15 +16,13 @@
 ))]
 use rustls::RootCertStore;
 #[cfg(all(feature = "rustls", not(feature = "native-tls")))]
-use rustls::{ClientConfig, ClientConnection, StreamOwned};
+use rustls::{ClientConfig, ClientConnection, ServerName, StreamOwned};
 #[cfg(all(
     feature = "rustls-native-certs",
     not(feature = "rustls-platform-verifier"),
     not(feature = "native-tls")
 ))]
 use rustls_native_certs::load_native_certs;
-#[cfg(all(feature = "rustls", not(feature = "native-tls")))]
-use rustls_pki_types::ServerName;
 #[cfg(all(
     feature = "rustls",
     feature = "rustls-platform-verifier",
@@ -241,25 +241,38 @@
                         }
                         #[cfg(not(feature = "rustls-platform-verifier"))]
                         {
+                            let mut root_store = RootCertStore::empty();
                             #[cfg(feature = "rustls-native-certs")]
-                            let root_store = {
-                                let mut root_store = RootCertStore::empty();
-                                for cert in load_native_certs().certs {
-                                    root_store.add(cert).unwrap();
+                            {
+                                match load_native_certs() {
+                                    Ok(certs) => {
+                                        for cert in certs {
+                                            root_store.add_parsable_certificates(&[cert.0]);
+                                        }
+                                    }
+                                    Err(e) => panic!("Error loading TLS certificates: {}", e),
                                 }
-                                root_store
-                            };
+                            }
 
                             #[cfg(all(
                                 feature = "webpki-roots",
                                 not(feature = "rustls-native-certs")
                             ))]
-                            let root_store = RootCertStore {
-                                roots: TLS_SERVER_ROOTS.to_vec(),
-                            };
+                            {
+                                root_store.add_trust_anchors(TLS_SERVER_ROOTS.iter().map(
+                                    |trust_anchor| {
+                                        OwnedTrustAnchor::from_subject_spki_name_constraints(
+                                            trust_anchor.subject,
+                                            trust_anchor.spki,
+                                            trust_anchor.name_constraints,
+                                        )
+                                    },
+                                ));
+                            }
 
                             Arc::new(
                                 ClientConfig::builder()
+                                    .with_safe_defaults()
                                     .with_root_certificates(root_store)
                                     .with_no_client_auth(),
                             )
@@ -267,8 +280,7 @@
                     });
                     let addresses = get_and_validate_socket_addresses(request.url(), 443)?;
                     let dns_name = ServerName::try_from(host)
-                        .map_err(invalid_input_error)?
-                        .to_owned();
+                        .map_err(invalid_input_error)?;
                     let connection = ClientConnection::new(Arc::clone(rustls_config), dns_name)
                         .map_err(|e| Error::new(ErrorKind::Other, e))?;
                     let stream = StreamOwned::new(connection, self.connect(&addresses)?);