From 365afd9ac54f34aa8d1c0e17ee10fe11d7c89147 Mon Sep 17 00:00:00 2001 From: link2xt Date: Wed, 4 Sep 2024 19:32:50 +0000 Subject: [PATCH] feat: accept self-signed nauta.cu certificates This will allow users to enable strict TLS checks. --- assets/certificates/imap.nauta.cu.der | Bin 0 -> 713 bytes assets/certificates/smtp.nauta.cu.der | Bin 0 -> 1013 bytes src/net/tls.rs | 29 ++++++++++++++++++++++---- 3 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 assets/certificates/imap.nauta.cu.der create mode 100644 assets/certificates/smtp.nauta.cu.der diff --git a/assets/certificates/imap.nauta.cu.der b/assets/certificates/imap.nauta.cu.der new file mode 100644 index 0000000000000000000000000000000000000000..20f953786292c73b7532093c7acd43fc6d70cc7f GIT binary patch literal 713 zcmXqLVmfNj#H6=?nTe5!iIZVMeAto{e=lVNUN%mxHjlRNyo`*jtPBQ?GYq*6IN6v( zS=fY`oI?$T3OPI~IBsIA> z(NM}j0wlmKEa+NMl3J9Pn4=J!T2z*qoLX!sY9I`fV;1Jg%uOuNOU+9y(Mv8hR5Xx> zJA{)_OsF8gxFk2R7^vF;s>DD}oY&CEz|7FZ(A3D($RtXf*9gQlf^rA5(;Md_hchE9 z19M|9FswV78XFm|D%J1S{B}ud%H@;4uP@7bTHX~FsJ?`4LB`E>vM65Xfgd`o>~$x>p|m{EB1&CFMtavOs- ztmNqYFLmX^v&|d=S5`@R*Kgi2FU(ue$+|Dw|HcHz_*$dp7do=H#Z6b&DXrV2*nTfb JjrVS*4*&@p=obJ0 literal 0 HcmV?d00001 diff --git a/assets/certificates/smtp.nauta.cu.der b/assets/certificates/smtp.nauta.cu.der new file mode 100644 index 0000000000000000000000000000000000000000..0b83cd80a22a296603a0bb6ed1985acaaf2c54bf GIT binary patch literal 1013 zcmXqLV*Y5*#B_53GZP~d6DPwP_G@7odjifF@Un4gwRyCC=VfGMWo0mE>@(yx;ACSC zWnmL$at<{VG7tc9ICwaH5*0iWlM?e14fzasKw|7XtN}TRRf&fDKtq6hE*>`5lGNnl zL_;Y936KCckDzNsNorAEVva&^YEfBca%!=muz?^*j+uumIZ-b)FSSH3xzte7KpgH2 zPDU}Hlmk@CKu(<3(8$2d$jH#lz|g=vN}SgS#5I6&2cLtR7?qF%m64T!xrvdV!Jvte zi>Zl`k>Sj%RZLqtH>kAy*KBplX^?w%YJ1R}NiP+ccRfolZS?4w_wpQvc*n+fijFQ? zEt>C|BpDJzH*L?kSbye8aNf!d&I@K+ey~6B`d~c6<})$&Dqkk4Pu$MX?6GtuZ_gXk z%fVVdI`*(x9%Q~$u!fH#^YTgdVx@;nx7+^y|I!+4|M$p=&#}c@R7H)tCQo;~{GDU- zTipoL=!<6?4LNMj{g+;IOHpsVFWY7P$n_awy=!tR-6{WWOy-q>BYJ;3nVWdH#ik*J0nxJ$3-@&qv863NqO<_!(+9MOugt~tjYgQ zJuzE7=EJ5~_g~*H*KA+U#LURRxH!PT&p;NK5M=pS#8^aRkE_Rp{N)Wx%3Rv9INe_C zpNeCs|c z+4*TFtC@@pDn)-+e^qpEVYPbX*2-8IQ08p@coWk~+jXkNyp0`|D}&h^1cGs4V$!sVLg-DkJWID3%)>>Cxc^LtHh%wEx^aNcLB@4FBHX@YNo literal 0 HcmV?d00001 diff --git a/src/net/tls.rs b/src/net/tls.rs index 232787b204..51041b7e72 100644 --- a/src/net/tls.rs +++ b/src/net/tls.rs @@ -14,12 +14,33 @@ static LETSENCRYPT_ROOT: Lazy = Lazy::new(|| { .unwrap() }); -pub fn build_tls(strict_tls: bool, alpns: &[&str]) -> TlsConnector { +static IMAP_NAUTA_CU: Lazy = Lazy::new(|| { + Certificate::from_der(include_bytes!( + "../../assets/certificates/imap.nauta.cu.der" + )) + .unwrap() +}); + +static SMTP_NAUTA_CU: Lazy = Lazy::new(|| { + Certificate::from_der(include_bytes!( + "../../assets/certificates/smtp.nauta.cu.der" + )) + .unwrap() +}); + +fn build_tls(strict_tls: bool, hostname: &str, alpns: &[&str]) -> TlsConnector { let tls_builder = TlsConnector::new() .min_protocol_version(Some(Protocol::Tlsv12)) .request_alpns(alpns) .add_root_certificate(LETSENCRYPT_ROOT.clone()); + // Add self-signed certificates for known hostnames. + let tls_builder = match hostname { + "imap.nauta.cu" => tls_builder.add_root_certificate(IMAP_NAUTA_CU.clone()), + "smtp.nauta.cu" => tls_builder.add_root_certificate(SMTP_NAUTA_CU.clone()), + _ => tls_builder, + }; + if strict_tls { tls_builder } else { @@ -35,7 +56,7 @@ pub async fn wrap_tls( alpn: &[&str], stream: T, ) -> Result> { - let tls = build_tls(strict_tls, alpn); + let tls = build_tls(strict_tls, hostname, alpn); let tls_stream = tls.connect(hostname, stream).await?; Ok(tls_stream) } @@ -48,7 +69,7 @@ mod tests { fn test_build_tls() { // we are using some additional root certificates. // make sure, they do not break construction of TlsConnector - let _ = build_tls(true, &[]); - let _ = build_tls(false, &[]); + let _ = build_tls(true, "example.org", &[]); + let _ = build_tls(false, "example.org", &[]); } }