@@ -70,7 +70,9 @@ mod encryption {
7070
7171 #[ cfg( feature = "__rustls-tls" ) ]
7272 pub mod rustls {
73- use rustls:: { ClientConfig , ClientConnection , RootCertStore , StreamOwned } ;
73+ #[ cfg( not( feature = "rustls-tls-native-platform-verifier" ) ) ]
74+ use rustls:: RootCertStore ;
75+ use rustls:: { ClientConfig , ClientConnection , StreamOwned } ;
7476 use rustls_pki_types:: ServerName ;
7577
7678 use std:: {
@@ -99,43 +101,57 @@ mod encryption {
99101 let config = match tls_connector {
100102 Some ( config) => config,
101103 None => {
102- #[ allow( unused_mut) ]
103- let mut root_store = RootCertStore :: empty ( ) ;
104+ #[ cfg( feature = "rustls-tls-native-platform-verifier" ) ]
105+ {
106+ use rustls_platform_verifier:: BuilderVerifierExt ;
107+ Arc :: new (
108+ ClientConfig :: builder ( )
109+ . with_platform_verifier ( )
110+ . map_err ( TlsError :: from) ?
111+ . with_no_client_auth ( ) ,
112+ )
113+ }
104114
105- #[ cfg( feature = "rustls-tls-native-roots" ) ]
115+ #[ cfg( not ( feature = "rustls-tls-native-platform-verifier" ) ) ]
106116 {
107- let rustls_native_certs:: CertificateResult {
108- certs, errors, ..
109- } = rustls_native_certs:: load_native_certs ( ) ;
110-
111- if !errors. is_empty ( ) {
112- log:: warn!(
113- "native root CA certificate loading errors: {errors:?}"
114- ) ;
115- }
117+ #[ allow( unused_mut) ]
118+ let mut root_store = RootCertStore :: empty ( ) ;
119+
120+ #[ cfg( feature = "rustls-tls-native-roots" ) ]
121+ {
122+ let rustls_native_certs:: CertificateResult {
123+ certs, errors, ..
124+ } = rustls_native_certs:: load_native_certs ( ) ;
125+
126+ if !errors. is_empty ( ) {
127+ log:: warn!(
128+ "native root CA certificate loading errors: {errors:?}"
129+ ) ;
130+ }
116131
117- // Not finding any native root CA certificates is not fatal if the
118- // "rustls-tls-webpki-roots" feature is enabled.
119- #[ cfg( not( feature = "rustls-tls-webpki-roots" ) ) ]
120- if certs. is_empty ( ) {
121- return Err ( std:: io:: Error :: new ( std:: io:: ErrorKind :: NotFound , format ! ( "no native root CA certificates found (errors: {errors:?})" ) ) . into ( ) ) ;
132+ // Not finding any native root CA certificates is not fatal if the
133+ // "rustls-tls-webpki-roots" feature is enabled.
134+ #[ cfg( not( feature = "rustls-tls-webpki-roots" ) ) ]
135+ if certs. is_empty ( ) {
136+ return Err ( std:: io:: Error :: new ( std:: io:: ErrorKind :: NotFound , format ! ( "no native root CA certificates found (errors: {errors:?})" ) ) . into ( ) ) ;
137+ }
138+
139+ let total_number = certs. len ( ) ;
140+ let ( number_added, number_ignored) =
141+ root_store. add_parsable_certificates ( certs) ;
142+ log:: debug!( "Added {number_added}/{total_number} native root certificates (ignored {number_ignored})" ) ;
143+ }
144+ #[ cfg( feature = "rustls-tls-webpki-roots" ) ]
145+ {
146+ root_store. extend ( webpki_roots:: TLS_SERVER_ROOTS . iter ( ) . cloned ( ) ) ;
122147 }
123148
124- let total_number = certs. len ( ) ;
125- let ( number_added, number_ignored) =
126- root_store. add_parsable_certificates ( certs) ;
127- log:: debug!( "Added {number_added}/{total_number} native root certificates (ignored {number_ignored})" ) ;
149+ Arc :: new (
150+ ClientConfig :: builder ( )
151+ . with_root_certificates ( root_store)
152+ . with_no_client_auth ( ) ,
153+ )
128154 }
129- #[ cfg( feature = "rustls-tls-webpki-roots" ) ]
130- {
131- root_store. extend ( webpki_roots:: TLS_SERVER_ROOTS . iter ( ) . cloned ( ) ) ;
132- }
133-
134- Arc :: new (
135- ClientConfig :: builder ( )
136- . with_root_certificates ( root_store)
137- . with_no_client_auth ( ) ,
138- )
139155 }
140156 } ;
141157 let domain = ServerName :: try_from ( domain)
0 commit comments