Skip to content

Commit 100f8a1

Browse files
committed
feat(tls): Add rustls-platform-verifier support
1 parent 9b74abf commit 100f8a1

File tree

3 files changed

+15
-0
lines changed

3 files changed

+15
-0
lines changed

tonic/Cargo.toml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ tls = ["dep:rustls-pemfile", "dep:tokio-rustls", "dep:tokio", "tokio?/rt", "toki
3232
tls-roots = ["tls-native-roots"] # Deprecated. Please use `tls-native-roots` instead.
3333
tls-native-roots = ["tls", "channel", "dep:rustls-native-certs"]
3434
tls-webpki-roots = ["tls", "channel", "dep:webpki-roots"]
35+
tls-platform-verifier = ["tls", "channel", "dep:rustls-platform-verifier"]
3536
router = ["dep:axum", "dep:tower", "tower?/util"]
3637
server = [
3738
"router",
@@ -90,6 +91,7 @@ axum = {version = "0.7", default-features = false, optional = true}
9091
# rustls
9192
rustls-pemfile = { version = "2.0", optional = true }
9293
rustls-native-certs = { version = "0.8", optional = true }
94+
rustls-platform-verifier = { version = "0.3", optional = true }
9395
tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "tls12", "ring"], optional = true }
9496
webpki-roots = { version = "0.26", optional = true }
9597

tonic/src/lib.rs

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,9 @@
3131
//! [`rustls-native-certs`] crate. Not enabled by default.
3232
//! - `tls-webpki-roots`: Add the standard trust roots from the [`webpki-roots`] crate to
3333
//! `rustls`-based gRPC clients. Not enabled by default.
34+
//! - `tls-platform-verifier`: Uses the operating system’s certificate facilities to verify
35+
//! the validity of TLS certificates using the [`rustls-platform-verifier`] crate. Not
36+
//! enabled by default.
3437
//! - `prost`: Enables the [`prost`] based gRPC [`Codec`] implementation. Enabled by default.
3538
//! - `gzip`: Enables compressing requests, responses, and streams. Depends on [`flate2`].
3639
//! Not enabled by default.
@@ -80,6 +83,7 @@
8083
//! [`transport`]: transport/index.html
8184
//! [`rustls-native-certs`]: https://docs.rs/rustls-native-certs
8285
//! [`webpki-roots`]: https://docs.rs/webpki-roots
86+
//! [`rustls-platform-verifier`]: https://docs.rs/rustls-platform-verifier
8387
//! [`flate2`]: https://docs.rs/flate2
8488
//! [`zstd`]: https://docs.rs/zstd
8589

tonic/src/transport/channel/service/tls.rs

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,16 @@ impl TlsConnector {
5858
add_certs_from_pem(&mut Cursor::new(cert), &mut roots)?;
5959
}
6060

61+
#[cfg(feature = "tls-platform-verifier")]
62+
let builder = builder
63+
.dangerous()
64+
.with_custom_certificate_verifier(Arc::new(
65+
rustls_platform_verifier::Verifier::new_with_extra_roots(roots.roots),
66+
));
67+
68+
#[cfg(not(feature = "tls-platform-verifier"))]
6169
let builder = builder.with_root_certificates(roots);
70+
6271
let mut config = match identity {
6372
Some(identity) => {
6473
let (client_cert, client_key) = load_identity(identity)?;

0 commit comments

Comments
 (0)