[pve-devel] applied: [PATCH 1/2] openid connect: http client: use TlS platform verifier

[pve-devel] applied: [PATCH 1/2] openid connect: http client: use TlS platform verifier

[Thomas Lamprecht]

As otherwise a valid cert from Let's Encrypt got rejected as insecure
TLS.

It might be better to switch to proxmox-http sync client here, which
is ureq but better maintained code and less duplication.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 proxmox-openid/src/http_client.rs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/proxmox-openid/src/http_client.rs b/proxmox-openid/src/http_client.rs
index 7d383d5d..904a5bac 100755
--- a/proxmox-openid/src/http_client.rs
+++ b/proxmox-openid/src/http_client.rs
@@ -37,7 +37,12 @@ pub enum Error {
 }
 
 fn ureq_agent() -> Result<ureq::Agent, Error> {
-    let mut config = ureq::Agent::config_builder();
+    let mut config = ureq::Agent::config_builder().tls_config(
+        ureq::tls::TlsConfig::builder()
+            .provider(ureq::tls::TlsProvider::NativeTls)
+            .root_certs(ureq::tls::RootCerts::PlatformVerifier)
+            .build(),
+    );
     if let Ok(val) = env::var("all_proxy").or_else(|_| env::var("ALL_PROXY")) {
         let proxy = ureq::Proxy::new(&val).map_err(Box::new)?;
         config = config.proxy(Some(proxy));
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH 2/2] openid connect: http client: avoid unversioned ureq module

[Thomas Lamprecht]

It's simply not needed so do not bother with it.

Brings us again closer to what the proxmox-http sync client does, now
at least it's again so simple that there can be an argument for doing
this ourselves here over pulling in more dependencies.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 proxmox-openid/src/http_client.rs | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/proxmox-openid/src/http_client.rs b/proxmox-openid/src/http_client.rs
index 904a5bac..a21e1d5a 100755
--- a/proxmox-openid/src/http_client.rs
+++ b/proxmox-openid/src/http_client.rs
@@ -4,7 +4,6 @@ use std::io::Read;
 use http::method::Method;
 
 use openidconnect::{HttpRequest, HttpResponse};
-use ureq::unversioned::transport::Connector;
 
 // Copied from OAuth2 create, because we want to use ureq with
 // native-tls. But current OAuth2 crate pulls in rustls, so we cannot
@@ -47,15 +46,7 @@ fn ureq_agent() -> Result<ureq::Agent, Error> {
         let proxy = ureq::Proxy::new(&val).map_err(Box::new)?;
         config = config.proxy(Some(proxy));
     }
-    let agent = ureq::Agent::with_parts(
-        config.build(),
-        ureq::unversioned::transport::ConnectProxyConnector::default()
-            .chain(ureq::unversioned::transport::TcpConnector::default())
-            .chain(ureq::unversioned::transport::NativeTlsConnector::default()),
-        ureq::unversioned::resolver::DefaultResolver::default(),
-    );
-
-    Ok(agent)
+    Ok(config.build().into())
 }
 
 fn add_headers<T>(
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel