commit 2592304e4994fe31aa9c0a2b60cc27d20f2ef37d
parent 9df4ad89b8a4c8acbd06b0ebce398449ba4364df
Author: Antoine A <>
Date: Tue, 2 Jun 2026 18:18:01 +0200
common: improve TLS configuration
Diffstat:
12 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/Cargo.toml b/Cargo.toml
@@ -52,7 +52,7 @@ owo-colors = "4.2.3"
aws-lc-rs = "1.15"
compact_str = { version = "0.9.0", features = ["serde", "sqlx-postgres"] }
hyper-util = { version = "0.1", features = ["client-legacy", "http1", "http2"] }
-hyper-rustls = { version = "0.27", features = ["http2"] }
+hyper-rustls = { version = "0.27", features = ["aws-lc-rs", "http1", "http2", "rustls-platform-verifier", "tls12"], default-features = false }
rand = { version = "0.10" }
regex = { version = "1" }
rustls = "0.23"
diff --git a/common/http-client/Cargo.toml b/common/http-client/Cargo.toml
@@ -21,7 +21,6 @@ tracing.workspace = true
taler-common.workspace = true
compact_str.workspace = true
url.workspace = true
-anyhow.workspace = true
hyper.workspace = true
tokio.workspace = true
hyper-util.workspace = true
diff --git a/common/http-client/src/lib.rs b/common/http-client/src/lib.rs
@@ -57,14 +57,15 @@ pub enum ClientErr {
ResTransport(FmtSource<hyper::Error>),
}
-pub fn client() -> anyhow::Result<Client> {
+pub fn client() -> Client {
rustls::crypto::aws_lc_rs::default_provider()
.install_default()
.expect("failed to install the default TLS provider");
// Prepare the TLS client config
let tls = rustls::ClientConfig::builder()
- .with_native_roots()?
+ .try_with_platform_verifier()
+ .expect("failed to setup platform TLS verifier")
.with_no_client_auth();
// Prepare the HTTPS connector
@@ -76,8 +77,7 @@ pub fn client() -> anyhow::Result<Client> {
.build();
// Build the hyper client from the HTTPS connector.
- let client = hyper_util::client::legacy::Client::builder(TokioExecutor::new()).build(https);
- Ok(client)
+ hyper_util::client::legacy::Client::builder(TokioExecutor::new()).build(https)
}
#[derive(Debug, Clone)]
diff --git a/taler-apns-relay/src/apns.rs b/taler-apns-relay/src/apns.rs
@@ -25,7 +25,7 @@ use compact_str::CompactString;
use http::{StatusCode, header::CONTENT_TYPE};
use http_body_util::{BodyExt, Full};
use hyper::{Method, body::Bytes, header::AUTHORIZATION};
-use hyper_rustls::ConfigBuilderExt as _;
+use hyper_rustls::ConfigBuilderExt;
use hyper_util::rt::{TokioExecutor, TokioTimer};
use jiff::{SignedDuration, Timestamp};
use rustls_pki_types::{PrivateKeyDer, pem::PemObject};
@@ -211,7 +211,8 @@ impl Client {
// Prepare the TLS client config
let tls = rustls::ClientConfig::builder()
- .with_native_roots()?
+ .try_with_platform_verifier()
+ .expect("failed to setup platform TLS verifier")
.with_no_client_auth();
// Prepare the HTTPS connector
diff --git a/taler-cyclos/src/bin/cyclos-codegen.rs b/taler-cyclos/src/bin/cyclos-codegen.rs
@@ -39,7 +39,7 @@ enum Kind {
#[tokio::main]
async fn main() -> anyhow::Result<()> {
let args = Args::parse();
- let client = http_client::client()?;
+ let client = http_client::client();
let api: serde_json::Value = Req::new(
&client,
Method::GET,
diff --git a/taler-cyclos/src/bin/cyclos-harness.rs b/taler-cyclos/src/bin/cyclos-harness.rs
@@ -316,7 +316,7 @@ async fn logic_harness(cfg: &Config, reset: bool) -> anyhow::Result<()> {
step("Prepare db");
let pool = dbinit(cfg, reset).await?;
- let client = http_client::client()?;
+ let client = http_client::client();
setup::setup(cfg, reset, &client).await?;
let cfg = HarnessCfg::parse(cfg)?;
let wire = Client {
@@ -533,7 +533,7 @@ async fn online_harness(config: &Config, reset: bool) -> anyhow::Result<()> {
step("Prepare db");
let pool = dbinit(config, reset).await?;
- let http_client = http_client::client()?;
+ let http_client = http_client::client();
setup::setup(config, reset, &http_client).await?;
let cfg = HarnessCfg::parse(config)?;
let wire = Client {
diff --git a/taler-cyclos/src/dev.rs b/taler-cyclos/src/dev.rs
@@ -43,7 +43,7 @@ pub enum DevCmd {
}
pub async fn dev(cfg: &Config, cmd: DevCmd) -> anyhow::Result<()> {
- let client = http_client::client()?;
+ let client = http_client::client();
let cfg = HarnessCfg::parse(cfg)?;
let wire = Client {
client: &client,
diff --git a/taler-cyclos/src/main.rs b/taler-cyclos/src/main.rs
@@ -89,7 +89,7 @@ async fn run(cmd: Command, cfg: &Config) -> anyhow::Result<()> {
dbinit(cfg, reset).await?;
}
Command::Setup { reset } => {
- let client = http_client::client()?;
+ let client = http_client::client();
setup::setup(cfg, reset, &client).await?
}
Command::Serve { check } => {
@@ -105,7 +105,7 @@ async fn run(cmd: Command, cfg: &Config) -> anyhow::Result<()> {
}
Command::Worker { transient } => {
let pool = pool(cfg).await?;
- let client = http_client::client()?;
+ let client = http_client::client();
run_worker(cfg, &pool, &client, transient).await?;
}
Command::Config(cmd) => cmd.run(cfg)?,
diff --git a/taler-magnet-bank/src/bin/magnet-bank-harness.rs b/taler-magnet-bank/src/bin/magnet-bank-harness.rs
@@ -336,7 +336,7 @@ async fn logic_harness(cfg: &Config, reset: bool) -> anyhow::Result<()> {
let cfg = HarnessCfg::parse(cfg)?;
let keys = setup::load(&cfg.worker)?;
- let client = http_client::client()?;
+ let client = http_client::client();
let harness = Harness::new(&cfg, &client, &pool, &keys).await;
@@ -523,7 +523,7 @@ async fn online_harness(config: &Config, reset: bool) -> anyhow::Result<()> {
let cfg = HarnessCfg::parse(config)?;
let keys = setup::load(&cfg.worker)?;
- let client = http_client::client()?;
+ let client = http_client::client();
let harness = Harness::new(&cfg, &client, &pool, &keys).await;
diff --git a/taler-magnet-bank/src/dev.rs b/taler-magnet-bank/src/dev.rs
@@ -67,7 +67,7 @@ pub enum DevCmd {
pub async fn dev(cfg: &Config, cmd: DevCmd) -> anyhow::Result<()> {
let cfg = WorkerCfg::parse(cfg)?;
let keys = setup::load(&cfg)?;
- let client = http_client::client()?;
+ let client = http_client::client();
let client = AuthClient::new(&client, &cfg.api_url, &cfg.consumer).upgrade(&keys.access_token);
match cmd {
DevCmd::Accounts => {
diff --git a/taler-magnet-bank/src/main.rs b/taler-magnet-bank/src/main.rs
@@ -105,7 +105,7 @@ async fn run(cmd: Command, cfg: &Config) -> anyhow::Result<()> {
}
Command::Worker { transient } => {
let pool = pool(cfg).await?;
- let client = http_client::client()?;
+ let client = http_client::client();
run_worker(cfg, &pool, &client, transient).await?;
}
Command::Config(cmd) => cmd.run(cfg)?,
diff --git a/taler-magnet-bank/src/setup.rs b/taler-magnet-bank/src/setup.rs
@@ -84,7 +84,7 @@ pub async fn setup(cfg: WorkerCfg, reset: bool) -> anyhow::Result<()> {
Err(e) if e.kind() == ErrorKind::NotFound => KeysFile::default(),
Err(e) => Err(e)?,
};
- let client = http_client::client()?;
+ let client = http_client::client();
let client = AuthClient::new(&client, &cfg.api_url, &cfg.consumer);
info!("Setup OAuth access token");
