@@ -70,7 +70,9 @@ mod encryption {
7070
7171 #[ cfg( feature = "__rustls-tls" ) ]
7272 pub mod rustls {
73- use rustls:: { ClientConfig , ClientConnection , RootCertStore , StreamOwned } ;
73+ #[ cfg( not( feature = "rustls-tls-native-platform-verifier" ) ) ]
74+ use rustls:: RootCertStore ;
75+ use rustls:: { ClientConfig , ClientConnection , StreamOwned } ;
7476 use rustls_pki_types:: ServerName ;
7577
7678 use std:: {
@@ -99,43 +101,60 @@ mod encryption {
99101 let config = match tls_connector {
100102 Some ( config) => config,
101103 None => {
102- #[ allow( unused_mut) ]
103- let mut root_store = RootCertStore :: empty ( ) ;
104+ #[ cfg( feature = "rustls-tls-native-platform-verifier" ) ]
105+ {
106+ use rustls_platform_verifier:: BuilderVerifierExt ;
107+ Arc :: new (
108+ ClientConfig :: builder ( )
109+ . with_platform_verifier ( )
110+ . map_err ( TlsError :: from) ?
111+ . with_no_client_auth ( ) ,
112+ )
113+ }
104114
105- #[ cfg( feature = "rustls-tls-native-roots" ) ]
115+ #[ cfg( not ( feature = "rustls-tls-native-platform-verifier" ) ) ]
106116 {
107- let rustls_native_certs:: CertificateResult {
108- certs, errors, ..
109- } = rustls_native_certs:: load_native_certs ( ) ;
110-
111- if !errors. is_empty ( ) {
112- log:: warn!(
113- "native root CA certificate loading errors: {errors:?}"
114- ) ;
115- }
117+ #[ allow( unused_mut) ]
118+ let mut root_store = RootCertStore :: empty ( ) ;
119+
120+ #[ cfg( feature = "rustls-tls-native-roots" ) ]
121+ {
122+ let rustls_native_certs:: CertificateResult {
123+ certs,
124+ errors,
125+ ..
126+ } = rustls_native_certs:: load_native_certs ( ) ;
127+
128+ if !errors. is_empty ( ) {
129+ log:: warn!(
130+ "native root CA certificate loading errors: {errors:?}"
131+ ) ;
132+ }
116133
117- // Not finding any native root CA certificates is not fatal if the
118- // "rustls-tls-webpki-roots" feature is enabled.
119- #[ cfg( not( feature = "rustls-tls-webpki-roots" ) ) ]
120- if certs. is_empty ( ) {
121- return Err ( std:: io:: Error :: new ( std:: io:: ErrorKind :: NotFound , format ! ( "no native root CA certificates found (errors: {errors:?})" ) ) . into ( ) ) ;
134+ // Not finding any native root CA certificates is not fatal if the
135+ // "rustls-tls-webpki-roots" feature is enabled.
136+ #[ cfg( not( feature = "rustls-tls-webpki-roots" ) ) ]
137+ if certs. is_empty ( ) {
138+ return Err ( std:: io:: Error :: new ( std:: io:: ErrorKind :: NotFound , format ! ( "no native root CA certificates found (errors: {errors:?})" ) ) . into ( ) ) ;
139+ }
140+
141+ let total_number = certs. len ( ) ;
142+ let ( number_added, number_ignored) =
143+ root_store. add_parsable_certificates ( certs) ;
144+ log:: debug!( "Added {number_added}/{total_number} native root certificates (ignored {number_ignored})" ) ;
145+ }
146+ #[ cfg( feature = "rustls-tls-webpki-roots" ) ]
147+ {
148+ root_store
149+ . extend ( webpki_roots:: TLS_SERVER_ROOTS . iter ( ) . cloned ( ) ) ;
122150 }
123151
124- let total_number = certs. len ( ) ;
125- let ( number_added, number_ignored) =
126- root_store. add_parsable_certificates ( certs) ;
127- log:: debug!( "Added {number_added}/{total_number} native root certificates (ignored {number_ignored})" ) ;
152+ Arc :: new (
153+ ClientConfig :: builder ( )
154+ . with_root_certificates ( root_store)
155+ . with_no_client_auth ( ) ,
156+ )
128157 }
129- #[ cfg( feature = "rustls-tls-webpki-roots" ) ]
130- {
131- root_store. extend ( webpki_roots:: TLS_SERVER_ROOTS . iter ( ) . cloned ( ) ) ;
132- }
133-
134- Arc :: new (
135- ClientConfig :: builder ( )
136- . with_root_certificates ( root_store)
137- . with_no_client_auth ( ) ,
138- )
139158 }
140159 } ;
141160 let domain = ServerName :: try_from ( domain)
0 commit comments