Merge pull request #354 from h3poteto/fix/tls

Use ring when rustls-tls

Author: h3poteto

Cargo.lock

@@ -22,6 +22,9 @@ rustls-tls = [
     "tokio-tungstenite/rustls-tls-native-roots",
     "reqwest/rustls-tls",
     "oauth2/rustls-tls",
+    "dep:rustls",
+    "dep:rustls-native-certs",
+    "dep:rustls-pki-types",
 ]
 
 [dependencies]
@@ -47,6 +50,9 @@ tokio-tungstenite = { version = "0.27", features = ["url"] }
 tokio-util = { version = "0.7.10", features = ["codec"] }
 tracing = "0.1.40"
 url = "2.5.0"
+rustls = { version = "0.23", features = ["ring"], default-features = false, optional = true }
+rustls-native-certs = { version = "0.8", optional = true }
+rustls-pki-types = { version = "1", optional = true }
 urlencoding = "2.1"
 uuid = { version = "1.8", features = ["v4"] }
 

Cargo.toml

@@ -14,7 +14,7 @@ use serde::Deserialize;
 use serde_json::json;
 use tokio::net::TcpStream;
 use tokio_tungstenite::{
-    MaybeTlsStream, WebSocketStream, connect_async,
+    MaybeTlsStream, WebSocketStream, connect_async_tls_with_config,
     tungstenite::{
         Error as WebSocketError,
         client::IntoClientRequest,
@@ -188,7 +188,9 @@ impl WebSocket {
             })?;
         req.headers_mut()
             .insert("User-Agent", self.user_agent.parse().unwrap());
-        let (socket, response) = connect_async(req).await.map_err(|e| {
+        let connector = crate::tls::build_connector();
+        let (socket, response) =
+            connect_async_tls_with_config(req, None, false, connector).await.map_err(|e| {
             error!("Failed to connect: {}", e);
             match e {
                 WebSocketError::Http(response) => match response.status() {

src/firefish/web_socket.rs

@@ -14,7 +14,8 @@ use serde::Deserialize;
 use tokio_tungstenite::tungstenite::client::IntoClientRequest;
 use tokio_tungstenite::tungstenite::http::StatusCode;
 use tokio_tungstenite::{
-    connect_async, tungstenite::error, tungstenite::protocol::Message as WebSocketMessage,
+    connect_async_tls_with_config, tungstenite::error,
+    tungstenite::protocol::Message as WebSocketMessage,
     tungstenite::protocol::frame::coding::CloseCode,
 };
 use tracing::{debug, error, info, warn};
@@ -172,7 +173,9 @@ impl WebSocket {
             })?;
         req.headers_mut()
             .insert("User-Agent", self.user_agent.parse().unwrap());
-        let (mut socket, response) = connect_async(req).await.map_err(|e| {
+        let connector = crate::tls::build_connector();
+        let (mut socket, response) =
+            connect_async_tls_with_config(req, None, false, connector).await.map_err(|e| {
             error!("Failed to connect: {}", e);
             match e {
                 error::Error::Http(response) => match response.status() {

src/gotosocial/web_socket.rs

@@ -59,6 +59,7 @@ pub mod pixelfed;
 pub mod pleroma;
 pub mod response;
 pub mod streaming;
+pub(crate) mod tls;
 
 pub use self::megalodon::Megalodon;
 use crate::error::Error;

src/lib.rs

@@ -12,7 +12,7 @@ use async_trait::async_trait;
 use futures_util::{SinkExt, StreamExt};
 use serde::Deserialize;
 use tokio_tungstenite::{
-    connect_async,
+    connect_async_tls_with_config,
     tungstenite::{
         Error as WebSocketError,
         client::IntoClientRequest,
@@ -186,7 +186,9 @@ impl WebSocket {
             })?;
         req.headers_mut()
             .insert("User-Agent", self.user_agent.parse().unwrap());
-        let (mut socket, response) = connect_async(req).await.map_err(|e| {
+        let connector = crate::tls::build_connector();
+        let (mut socket, response) =
+            connect_async_tls_with_config(req, None, false, connector).await.map_err(|e| {
             error!("Failed to connect: {}", e);
             match e {
                 WebSocketError::Http(response) => match response.status() {

src/mastodon/web_socket.rs

@@ -12,7 +12,7 @@ use async_trait::async_trait;
 use futures_util::{SinkExt, StreamExt};
 use serde::Deserialize;
 use tokio_tungstenite::{
-    connect_async,
+    connect_async_tls_with_config,
     tungstenite::{
         Error as WebSocketError,
         client::IntoClientRequest,
@@ -186,7 +186,9 @@ impl WebSocket {
             })?;
         req.headers_mut()
             .insert("User-Agent", self.user_agent.parse().unwrap());
-        let (mut socket, response) = connect_async(req).await.map_err(|e| {
+        let connector = crate::tls::build_connector();
+        let (mut socket, response) =
+            connect_async_tls_with_config(req, None, false, connector).await.map_err(|e| {
             error!("Failed to connect: {}", e);
             match e {
                 WebSocketError::Http(response) => match response.status() {

src/pleroma/web_socket.rs

@@ -0,0 +1,25 @@
+use tokio_tungstenite::Connector;
+
+#[cfg(feature = "rustls-tls")]
+pub fn build_connector() -> Option<Connector> {
+    use std::sync::Arc;
+
+    let mut root_store = rustls::RootCertStore::empty();
+    for cert in rustls_native_certs::load_native_certs().certs {
+        let _ = root_store.add(cert);
+    }
+    let config = rustls::ClientConfig::builder_with_provider(Arc::new(
+        rustls::crypto::ring::default_provider(),
+    ))
+    .with_safe_default_protocol_versions()
+    .expect("Failed to set TLS protocol versions")
+    .with_root_certificates(root_store)
+    .with_no_client_auth();
+
+    Some(Connector::Rustls(Arc::new(config)))
+}
+
+#[cfg(not(feature = "rustls-tls"))]
+pub fn build_connector() -> Option<Connector> {
+    None
+}