diff --git a/Cargo.lock b/Cargo.lock index 21f7af84..9bf82b09 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -156,12 +156,6 @@ dependencies = [ "rustc-demangle", ] -[[package]] -name = "base64" -version = "0.13.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8" - [[package]] name = "base64" version = "0.21.2" @@ -693,9 +687,9 @@ checksum = "4443176a9f2c162692bd3d352d745ef9413eec5782a80d8fd6f8a1ac692a07f7" [[package]] name = "fastly-shared" -version = "0.9.4" +version = "0.9.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "54a9c7b53bc63f8c1a1d195c7841bff2733d42982a4cdbed5a5d14bd6a17ef3d" +checksum = "ea8c7df017449664ec1ee065dac781b5d4ab405e44533c2483cfb31b3f1c6124" dependencies = [ "bitflags 1.3.2", "http", @@ -1742,29 +1736,47 @@ dependencies = [ [[package]] name = "rustls" -version = "0.19.1" +version = "0.21.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35edb675feee39aec9c99fa5ff985081995a06d594114ae14cbe797ad7b7a6d7" +checksum = "79ea77c539259495ce8ca47f53e66ae0330a8819f67e23ac96ca02f50e7b7d36" dependencies = [ - "base64 0.13.1", "log", "ring", + "rustls-webpki", "sct", - "webpki", ] [[package]] name = "rustls-native-certs" -version = "0.5.0" +version = "0.6.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a07b7c1885bd8ed3831c289b7870b13ef46fe0e856d288c30d9cc17d75a2092" +checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00" dependencies = [ "openssl-probe", - "rustls", + "rustls-pemfile", "schannel", "security-framework", ] +[[package]] +name = "rustls-pemfile" +version = "1.0.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2d3987094b1d07b653b7dfdc3f70ce9a1da9c51ac18c1b06b662e4f9a0e9f4b2" +dependencies = [ + "base64", +] + +[[package]] +name = "rustls-webpki" +version = "0.101.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "15f36a6828982f422756984e47912a7a51dcbc2a197aa791158f8ca61cd8204e" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "ryu" version = "1.0.14" @@ -1797,9 +1809,9 @@ checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" [[package]] name = "sct" -version = "0.6.1" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b362b83898e0e69f38515b82ee15aa80636befe47c3b6d3d89a911e78fc228ce" +checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" dependencies = [ "ring", "untrusted", @@ -2118,13 +2130,12 @@ dependencies = [ [[package]] name = "tokio-rustls" -version = "0.22.0" +version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6" +checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" dependencies = [ "rustls", "tokio", - "webpki", ] [[package]] @@ -2382,7 +2393,6 @@ dependencies = [ "wasmtime", "wasmtime-wasi", "wasmtime-wasi-nn", - "webpki", "wiggle", ] @@ -2611,7 +2621,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "efc78cfe1a758d1336f447a47af6ec05e0df2c03c93440d70faf80e17fbb001e" dependencies = [ "anyhow", - "base64 0.21.2", + "base64", "bincode", "directories-next", "file-per-thread-logger", @@ -2914,16 +2924,6 @@ dependencies = [ "wasm-bindgen", ] -[[package]] -name = "webpki" -version = "0.21.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b8e38c0608262c46d4a56202ebabdeb094cef7e560ca7a226c6bf055188aa4ea" -dependencies = [ - "ring", - "untrusted", -] - [[package]] name = "wiggle" version = "10.0.1" diff --git a/cli/tests/trap-test/Cargo.lock b/cli/tests/trap-test/Cargo.lock index 86224997..26524d09 100644 --- a/cli/tests/trap-test/Cargo.lock +++ b/cli/tests/trap-test/Cargo.lock @@ -131,12 +131,6 @@ dependencies = [ "rustc-demangle", ] -[[package]] -name = "base64" -version = "0.13.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8" - [[package]] name = "base64" version = "0.21.2" @@ -633,9 +627,9 @@ checksum = "4443176a9f2c162692bd3d352d745ef9413eec5782a80d8fd6f8a1ac692a07f7" [[package]] name = "fastly-shared" -version = "0.9.4" +version = "0.9.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "54a9c7b53bc63f8c1a1d195c7841bff2733d42982a4cdbed5a5d14bd6a17ef3d" +checksum = "ea8c7df017449664ec1ee065dac781b5d4ab405e44533c2483cfb31b3f1c6124" dependencies = [ "bitflags 1.3.2", "http", @@ -1680,29 +1674,47 @@ dependencies = [ [[package]] name = "rustls" -version = "0.19.1" +version = "0.21.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35edb675feee39aec9c99fa5ff985081995a06d594114ae14cbe797ad7b7a6d7" +checksum = "79ea77c539259495ce8ca47f53e66ae0330a8819f67e23ac96ca02f50e7b7d36" dependencies = [ - "base64 0.13.1", "log", "ring", + "rustls-webpki", "sct", - "webpki", ] [[package]] name = "rustls-native-certs" -version = "0.5.0" +version = "0.6.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a07b7c1885bd8ed3831c289b7870b13ef46fe0e856d288c30d9cc17d75a2092" +checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00" dependencies = [ "openssl-probe", - "rustls", + "rustls-pemfile", "schannel", "security-framework", ] +[[package]] +name = "rustls-pemfile" +version = "1.0.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2d3987094b1d07b653b7dfdc3f70ce9a1da9c51ac18c1b06b662e4f9a0e9f4b2" +dependencies = [ + "base64", +] + +[[package]] +name = "rustls-webpki" +version = "0.101.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "15f36a6828982f422756984e47912a7a51dcbc2a197aa791158f8ca61cd8204e" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "ryu" version = "1.0.14" @@ -1735,9 +1747,9 @@ checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" [[package]] name = "sct" -version = "0.6.1" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b362b83898e0e69f38515b82ee15aa80636befe47c3b6d3d89a911e78fc228ce" +checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" dependencies = [ "ring", "untrusted", @@ -2036,13 +2048,12 @@ dependencies = [ [[package]] name = "tokio-rustls" -version = "0.22.0" +version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6" +checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" dependencies = [ "rustls", "tokio", - "webpki", ] [[package]] @@ -2298,7 +2309,6 @@ dependencies = [ "wasmtime", "wasmtime-wasi", "wasmtime-wasi-nn", - "webpki", "wiggle", ] @@ -2527,7 +2537,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "efc78cfe1a758d1336f447a47af6ec05e0df2c03c93440d70faf80e17fbb001e" dependencies = [ "anyhow", - "base64 0.21.2", + "base64", "bincode", "directories-next", "file-per-thread-logger", @@ -2830,16 +2840,6 @@ dependencies = [ "wasm-bindgen", ] -[[package]] -name = "webpki" -version = "0.21.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b8e38c0608262c46d4a56202ebabdeb094cef7e560ca7a226c6bf055188aa4ea" -dependencies = [ - "ring", - "untrusted", -] - [[package]] name = "wiggle" version = "10.0.1" diff --git a/lib/Cargo.toml b/lib/Cargo.toml index 9be80538..e00df133 100644 --- a/lib/Cargo.toml +++ b/lib/Cargo.toml @@ -37,15 +37,15 @@ hyper = { workspace = true } itertools = { workspace = true } lazy_static = "^1.4.0" regex = "^1.3.9" -rustls = "^0.19.1" -rustls-native-certs = "^0.5.0" +rustls = "^0.21.1" +rustls-native-certs = "^0.6.3" semver = "^0.10.0" serde = "^1.0.145" serde_derive = "^1.0.114" serde_json = { workspace = true } thiserror = "^1.0.37" tokio = { workspace = true } -tokio-rustls = "^0.22.0" +tokio-rustls = "^0.24.1" toml = "^0.5.9" tracing = { workspace = true } tracing-futures = { workspace = true } @@ -54,7 +54,6 @@ wasi-common = { workspace = true } wasmtime = { workspace = true } wasmtime-wasi = "10.0.0" wasmtime-wasi-nn = "10.0.0" -webpki = "^0.21.0" wiggle = "10.0.0" [dev-dependencies] diff --git a/lib/src/upstream.rs b/lib/src/upstream.rs index e58b401a..4b2f5aff 100644 --- a/lib/src/upstream.rs +++ b/lib/src/upstream.rs @@ -9,6 +9,7 @@ use crate::{ use futures::Future; use http::{uri, HeaderValue}; use hyper::{client::HttpConnector, header, Client, HeaderMap, Request, Response, Uri}; +use rustls::client::ServerName; use std::{ io, pin::Pin, @@ -22,7 +23,6 @@ use tokio::{ }; use tokio_rustls::{client::TlsStream, TlsConnector}; use tracing::warn; -use webpki::DNSNameRef; static GZIP_VALUES: [HeaderValue; 2] = [ HeaderValue::from_static("gzip"), @@ -41,19 +41,23 @@ pub struct TlsConfig { } fn setup_rustls(with_sni: bool) -> Result { - let mut config = rustls::ClientConfig::new(); - config.root_store = match rustls_native_certs::load_native_certs() { - Ok(store) => store, - Err((Some(store), err)) => { - warn!(%err, "some certificates could not be loaded"); - store + let mut roots = rustls::RootCertStore::empty(); + match rustls_native_certs::load_native_certs() { + Ok(certs) => { + for cert in certs { + roots.add(&rustls::Certificate(cert.0)).unwrap(); + } } - Err((None, err)) => return Err(Error::BadCerts(err)), - }; - if config.root_store.is_empty() { + Err(err) => return Err(Error::BadCerts(err)), + } + if roots.is_empty() { warn!("no CA certificates available"); } - config.alpn_protocols.clear(); + + let mut config = rustls::ClientConfig::builder() + .with_safe_defaults() + .with_root_certificates(roots) + .with_no_client_auth(); config.enable_sni = with_sni; Ok(config) } @@ -134,7 +138,7 @@ impl hyper::service::Service for BackendConnector { .as_deref() .or_else(|| backend.uri.host()) .unwrap_or_default(); - let dnsname = DNSNameRef::try_from_ascii_str(cert_host).map_err(Box::new)?; + let dnsname = ServerName::try_from(cert_host).map_err(Box::new)?; let tls = connector.connect(dnsname, tcp).await.map_err(Box::new)?; Ok(Connection::Https(Box::new(tls))) diff --git a/test-fixtures/Cargo.lock b/test-fixtures/Cargo.lock index d477aaa6..539386b5 100644 --- a/test-fixtures/Cargo.lock +++ b/test-fixtures/Cargo.lock @@ -55,9 +55,9 @@ dependencies = [ [[package]] name = "fastly" -version = "0.9.4" +version = "0.9.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "99ae567cb5ba0b3ba601bd77471156595d3996c8345cdb26e6196818d889d6c2" +checksum = "1b59249dde10f901c578a8eb50577e3c6ee062b0e75f70f9d852da05b75c664d" dependencies = [ "anyhow", "bytes", @@ -79,9 +79,9 @@ dependencies = [ [[package]] name = "fastly-macros" -version = "0.9.4" +version = "0.9.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "32cf8d740210ace2fc3ec8910aee3def804b093e81fb991293ce83a159940099" +checksum = "d68ee83e8e1c9613d0448f50687a363b289501952f3c046f6cbdcdd82f29e7c2" dependencies = [ "proc-macro2", "quote", @@ -90,9 +90,9 @@ dependencies = [ [[package]] name = "fastly-shared" -version = "0.9.4" +version = "0.9.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "54a9c7b53bc63f8c1a1d195c7841bff2733d42982a4cdbed5a5d14bd6a17ef3d" +checksum = "ea8c7df017449664ec1ee065dac781b5d4ab405e44533c2483cfb31b3f1c6124" dependencies = [ "bitflags", "http", @@ -101,9 +101,9 @@ dependencies = [ [[package]] name = "fastly-sys" -version = "0.9.4" +version = "0.9.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "564dc930a14b7b358a1c28fa8a32d9ac7eef55afb43d0c6ea138b9892b825804" +checksum = "50a5c0dc150d4e1eb2bfdbe169df6bed8d7fafda38ac5a792d800544b35d6b58" dependencies = [ "bitflags", "fastly-shared",