forked/reqwest-impersonate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add a tls_built_in_root_certs option for Client (#1150)

Browse Source
This commit is contained in:
Alexis Mousset
2021-01-27 15:39:36 +01:00
committed by GitHub
parent bd9ff9f371
commit 31b11c3f4c
3 changed files with 57 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/async_impl/client.rs
View File

@@ -94,6 +94,8 @@ struct Config {
#[cfg(feature = "__tls")]
root_certs: Vec<Certificate>,
#[cfg(feature = "__tls")]
tls_built_in_root_certs: bool,
#[cfg(feature = "__tls")]
tls: TlsBackend,
http2_only: bool,
http1_title_case_headers: bool,
@@ -146,6 +148,8 @@ impl ClientBuilder {
#[cfg(feature = "__tls")]
root_certs: Vec::new(),
#[cfg(feature = "__tls")]
tls_built_in_root_certs: true,
#[cfg(feature = "__tls")]
identity: None,
#[cfg(feature = "__tls")]
tls: TlsBackend::default(),
@@ -209,6 +213,8 @@ impl ClientBuilder {
tls.danger_accept_invalid_certs(!config.certs_verification);
tls.disable_built_in_roots(!config.tls_built_in_root_certs);
for cert in config.root_certs {
cert.add_to_native_tls(&mut tls);
}
@@ -261,10 +267,12 @@ impl ClientBuilder {
tls.set_protocols(&["h2".into(), "http/1.1".into()]);
}
#[cfg(feature = "rustls-tls-webpki-roots")]
if config.tls_built_in_root_certs {
tls.root_store
.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
}
#[cfg(feature = "rustls-tls-native-roots")]
{
if config.tls_built_in_root_certs {
let roots_slice = NATIVE_ROOTS.as_ref().unwrap().roots.as_slice();
tls.root_store.roots.extend_from_slice(roots_slice);
}
@@ -719,6 +727,23 @@ impl ClientBuilder {
self
}
/// Controls the use of built-in/preloaded certificates during certificate validation.
///
/// Defaults to `true` -- built-in system certs will be used.
///
/// # Optional
///
/// This requires the optional `default-tls`, `native-tls`, or `rustls-tls(-...)`
/// feature to be enabled.
#[cfg(feature = "__tls")]
pub fn tls_built_in_root_certs(
mut self,
tls_built_in_root_certs: bool,
) -> ClientBuilder {
self.config.tls_built_in_root_certs = tls_built_in_root_certs;
self
}
/// Sets the identity to be used for client certificate authentication.
///
/// # Optional

16
src/blocking/client.rs
View File

@@ -433,6 +433,22 @@ impl ClientBuilder {
self.with_inner(move |inner| inner.add_root_certificate(cert))
}
/// Controls the use of built-in system certificates during certificate validation.
///
/// Defaults to `true` -- built-in system certs will be used.
///
/// # Optional
///
/// This requires the optional `default-tls`, `native-tls`, or `rustls-tls(-...)`
/// feature to be enabled.
#[cfg(feature = "__tls")]
pub fn tls_built_in_root_certs(
self,
tls_built_in_root_certs: bool,
) -> ClientBuilder {
self.with_inner(move |inner| inner.tls_built_in_root_certs(tls_built_in_root_certs))
}
/// Sets the identity to be used for client certificate authentication.
#[cfg(feature = "__tls")]
pub fn identity(self, identity: Identity) -> ClientBuilder {

15
tests/badssl.rs
View File

@@ -59,6 +59,21 @@ async fn test_badssl_self_signed() {
assert!(text.contains("<title>self-signed.badssl.com</title>"));
}
#[cfg(feature = "__tls")]
#[tokio::test]
async fn test_badssl_no_built_in_roots() {
let result = reqwest::Client::builder()
.tls_built_in_root_certs(false)
.no_proxy()
.build()
.unwrap()
.get("https://mozilla-modern.badssl.com/")
.send()
.await;
assert!(result.is_err());
}
#[cfg(feature = "native-tls")]
#[tokio::test]
async fn test_badssl_wrong_host() {