Rustls 0.18 docs:
This is the minimum you need to do to make a TLS client connection.
First, we make a
ClientConfig
. You're likely to make one of these per process, and use it for all connections made by that process.let mut config = rustls::ClientConfig::new();
Next we load some root certificates. These are used to authenticate the server. The recommended way is to depend on the
webpki_roots
crate which contains the Mozilla set of root certificates.config.root_store.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
rustls 0.20 docs:
This is the minimum you need to do to make a TLS client connection.
First we load some root certificates. These are used to authenticate the server. The recommended way is to depend on the
webpki_roots
crate which contains the Mozilla set of root certificates.let mut root_store = rustls::RootCertStore::empty(); root_store.add_server_trust_anchors( webpki_roots::TLS_SERVER_ROOTS .0 .iter() .map(|ta| { rustls::OwnedTrustAnchor::from_subject_spki_name_constraints( ta.subject, ta.spki, ta.name_constraints, ) }) );
Next, we make a
ClientConfig
. You’re likely to make one of these per process, and use it for all connections made by that process.let config = rustls::ClientConfig::builder() .with_safe_defaults() .with_root_certificates(root_store) .with_no_client_auth();
WTF? There's a whole page of breaking changes. Was all this really necessary?
You have to copy and paste all that boilerplate. Since that obscure code is only in the docs, not the code itself, it's untested. Great place for a backdoor.
I got a compile error after an update, because I now had two versions of rustls. So I have to change my code to comply. I'm still trying to get a custom verify_server_cert to compile. "add_pem_file" has disappeared from the API, too. There's now a new crate, " rustls_pemfile", which now seems to be necessary. I managed to bash it into working. I think. I trust the code much less now.
All this makes rustls much more likely to have new security flaws. Usage is now much more complex and has far more moving parts.