1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
Description: avoid not-in-Debian crate webpki-roots
Author: Jonas Smedegaard <dr@jones.dk>
Forwarded: not-needed
Last-Update: 2025-02-24
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -41,7 +41,7 @@
tokio = { version = "1.23", features = ["net", "io-util", "time"]}
rustls = { version = "0.23", default-features = false, features = ["std"]}
tokio-rustls = { version = "0.26", default-features = false }
-webpki-roots = { version = "0.26"}
+rustls-platform-verifier = "0.5"
rustls-pki-types = { version = "1" }
gethostname = { version = ">= 0.4.3, <= 0.5"}
--- a/src/smtp/tls.rs
+++ b/src/smtp/tls.rs
@@ -12,9 +12,10 @@
use rustls::{
client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
- ClientConfig, ClientConnection, RootCertStore, SignatureScheme,
+ ClientConfig, ClientConnection, SignatureScheme,
};
-use rustls_pki_types::{ServerName, TrustAnchor};
+use rustls_pki_types::ServerName;
+use rustls_platform_verifier::BuilderVerifierExt;
use tokio::net::TcpStream;
use tokio_rustls::{client::TlsStream, TlsConnector};
@@ -79,16 +80,8 @@
pub fn build_tls_connector(allow_invalid_certs: bool) -> TlsConnector {
let config = if !allow_invalid_certs {
- let mut root_cert_store = RootCertStore::empty();
-
- root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| TrustAnchor {
- subject: ta.subject.clone(),
- subject_public_key_info: ta.subject_public_key_info.clone(),
- name_constraints: ta.name_constraints.clone(),
- }));
-
ClientConfig::builder()
- .with_root_certificates(root_cert_store)
+ .with_platform_verifier()
.with_no_client_auth()
} else {
ClientConfig::builder()
|
