Skip to content

Commit 48dfc3a

Browse files
kezhuwkezhuw
authored
Default to empty ca roots for tls connections (#62)
1 parent 0c4b800 commit 48dfc3a

File tree

2 files changed

+21
-8
lines changed

2 files changed

+21
-8
lines changed

Cargo.toml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,8 @@ rust-version = "1.76"
1616

1717
[features]
1818
default = []
19-
tls = ["rustls", "rustls-pemfile", "webpki-roots", "futures-rustls"]
19+
tls = ["rustls", "rustls-pemfile", "futures-rustls"]
20+
tls-mozilla-roots = ["tls", "webpki-roots"]
2021
sasl = ["sasl-gssapi", "sasl-digest-md5"]
2122
sasl-digest-md5 = ["rsasl/unstable_custom_mechanism", "md5", "linkme", "hex"]
2223
sasl-gssapi = ["rsasl/gssapi"]
@@ -39,7 +40,7 @@ either = "1.9.0"
3940
uuid = { version = "1.4.1", features = ["v4"] }
4041
rustls = { version = "0.23.2", optional = true }
4142
rustls-pemfile = { version = "2", optional = true }
42-
webpki-roots = { version = "0.26.1", optional = true }
43+
webpki-roots = { version = "1.0.1", optional = true }
4344
derive-where = "1.2.7"
4445
fastrand = "2.0.2"
4546
tracing = "0.1.40"

src/tls.rs

Lines changed: 18 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -28,11 +28,9 @@ impl Clone for TlsOptions {
2828
}
2929

3030
impl Default for TlsOptions {
31-
/// Tls options with well-known ca roots.
31+
/// Same as [Self::new].
3232
fn default() -> Self {
33-
let mut options = Self::no_ca();
34-
options.ca_certs.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
35-
options
33+
Self::new()
3634
}
3735
}
3836

@@ -106,12 +104,26 @@ impl ServerCertVerifier for TlsServerCertVerifier {
106104
}
107105

108106
impl TlsOptions {
109-
/// Tls options with no ca certificates. Use [TlsOptions::default] if well-known ca roots is
110-
/// desirable.
107+
/// Tls options with no ca certificates.
108+
#[deprecated(since = "0.10.0", note = "use TlsOptions::new instead")]
111109
pub fn no_ca() -> Self {
110+
Self::new()
111+
}
112+
113+
/// Tls options with no ca certificates.
114+
pub fn new() -> Self {
112115
Self { ca_certs: RootCertStore::empty(), identity: None, hostname_verification: true }
113116
}
114117

118+
/// Trusts root certificates trusted by Mozilla.
119+
///
120+
/// See [webpki-roots](https://docs.rs/webpki-roots) for more.
121+
#[cfg(feature = "tls-mozilla-roots")]
122+
pub fn with_mozilla_roots(mut self) -> Self {
123+
self.ca_certs.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
124+
self
125+
}
126+
115127
/// Disables hostname verification in tls handshake.
116128
///
117129
/// # Safety

0 commit comments

Comments
 (0)