Update deps and configure TLS with new stuff

2026-05-02 04:13:58 -04:00 · 2024-08-20 23:05:57 -03:00
parent aeb102abfb
commit 63b43bb2ed
3 changed files with 50 additions and 26 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/core/crates/cloud-services/Cargo.toml
+++ b/core/crates/cloud-services/Cargo.toml
@@ -27,18 +27,14 @@ tracing             = { workspace = true }
 zeroize             = { workspace = true }

 # External dependencies
-iroh-base          = { version = "0.22.0", features = ["key"] }
-postcard           = { version = "1.0.8", features = ["use-std"] }
-quic-rpc           = { version = "0.11.0", features = ["quinn-transport"] }
-quinn              = { package = "iroh-quinn", version = "=0.10.5" }
-reqwest-middleware = { version = "0.3", features = ["json"] }
-reqwest-retry      = "0.6"
-
-[dependencies.rustls-old]
-default-features = false
-features         = ["dangerous_configuration", "logging", "quic"]
-package          = "rustls"
-version          = "0.21.12"                                      # Update blocked by quic-rpc
+iroh-base                = { version = "0.23.0", features = ["key"] }
+postcard                 = { version = "1.0.8", features = ["use-std"] }
+quic-rpc                 = { version = "0.12.0", features = ["quinn-transport"] }
+quinn                    = { package = "iroh-quinn", version = "=0.11.3" }
+reqwest-middleware       = { version = "0.3", features = ["json"] }
+reqwest-retry            = "0.6"
+rustls                   = { version = "0.23", default-features = false, features = ["ring"] }
+rustls-platform-verifier = "0.3.3"


 [dev-dependencies]
--- a/core/crates/cloud-services/src/cloud_client.rs
+++ b/core/crates/cloud-services/src/cloud_client.rs
@@ -3,7 +3,7 @@ use sd_cloud_schema::{Client, Service};
 use std::{net::SocketAddr, sync::Arc, time::Duration};

 use quic_rpc::{transport::quinn::QuinnConnection, RpcClient};
-use quinn::{ClientConfig, Endpoint};
+use quinn::{crypto::rustls::QuicClientConfig, ClientConfig, Endpoint};
 use reqwest::{IntoUrl, Url};
 use reqwest_middleware::{reqwest, ClientBuilder, ClientWithMiddleware};
 use reqwest_retry::{policies::ExponentialBackoff, RetryTransientMiddleware};
@@ -114,36 +114,64 @@ impl CloudServices {
 		let crypto_config = {
 			#[cfg(debug_assertions)]
 			{
+				#[derive(Debug)]
 				struct SkipServerVerification;
-				impl rustls_old::client::ServerCertVerifier for SkipServerVerification {
+				impl rustls::client::danger::ServerCertVerifier for SkipServerVerification {
 					fn verify_server_cert(
 						&self,
-						_end_entity: &rustls_old::Certificate,
-						_intermediates: &[rustls_old::Certificate],
-						_server_name: &rustls_old::ServerName,
-						_scts: &mut dyn Iterator<Item = &[u8]>,
+						_end_entity: &rustls::pki_types::CertificateDer<'_>,
+						_intermediates: &[rustls::pki_types::CertificateDer<'_>],
+						_server_name: &rustls::pki_types::ServerName<'_>,
 						_ocsp_response: &[u8],
-						_now: std::time::SystemTime,
-					) -> Result<rustls_old::client::ServerCertVerified, rustls_old::Error> {
-						Ok(rustls_old::client::ServerCertVerified::assertion())
+						_now: rustls::pki_types::UnixTime,
+					) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
+						Ok(rustls::client::danger::ServerCertVerified::assertion())
+					}
+
+					fn verify_tls12_signature(
+						&self,
+						_message: &[u8],
+						_cert: &rustls::pki_types::CertificateDer<'_>,
+						_dss: &rustls::DigitallySignedStruct,
+					) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+						Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+					}
+
+					fn verify_tls13_signature(
+						&self,
+						_message: &[u8],
+						_cert: &rustls::pki_types::CertificateDer<'_>,
+						_dss: &rustls::DigitallySignedStruct,
+					) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+						Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+					}
+
+					fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
+						vec![]
 					}
 				}

-				rustls_old::ClientConfig::builder()
-					.with_safe_defaults()
+				rustls::ClientConfig::builder_with_protocol_versions(&[&rustls::version::TLS13])
+					.dangerous()
 					.with_custom_certificate_verifier(Arc::new(SkipServerVerification))
 					.with_no_client_auth()
 			}

 			#[cfg(not(debug_assertions))]
 			{
-				rustls_old::ClientConfig::builder()
-					.with_safe_defaults()
+				rustls::ClientConfig::builder_with_protocol_versions(&[&rustls::version::TLS13])
+					.dangerous()
+					.with_custom_certificate_verifier(Arc::new(
+						rustls_platform_verifier::Verifier::new(),
+					))
 					.with_no_client_auth()
 			}
 		};

-		let client_config = ClientConfig::new(Arc::new(crypto_config));
+		let client_config = ClientConfig::new(Arc::new(
+			QuicClientConfig::try_from(crypto_config)
+				.expect("misconfigured TLS client config, this is a bug and should crash"),
+		));

 		let mut endpoint = Endpoint::client("[::]:0".parse().expect("hardcoded address"))
 			.map_err(Error::FailedToCreateEndpoint)?;