Use rustls_platform_verifier certificates.

abezukor · abezukor · commit a27cd0927ffd · 2024-06-27T12:48:04.000-07:00
Fix to always getting ` Websocket(Io(Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) }))` in IOS. As discussed in rustls/rustls-native-certs#3, ios and android support is broken by default. in this PR, I use `rustls_platform_verifier` on all platforms, but we could `cfg` it to only use `rustls_platform_verifier` on ios and android. Thoughts? For what its worth using `native-tls` instead of `rustls` also works. See 30b4db6 for an implementation using that. The advantage is that it requires no code changes, but I think it does pull in the whole native-tls stack due to feature unification.
diff --git a/crates/Cargo.lock b/crates/Cargo.lock
diff --git a/crates/Cargo.toml b/crates/Cargo.toml
@@ -28,6 +28,8 @@ jsonwebtoken = "9.2.0"
 pem = { version = "3.0.3", default-features = false }
 pin-project = "1.1.0"
 rand = "0.8.5"
+rustls-platform-verifier = "0.2.0"
+rustls = "0.22.4"
 serde = { version = "1.0.187", features = ["derive"] }
 serde_json = "1.0.97"
 thiserror = "1.0.40"
diff --git a/crates/portal-client/Cargo.toml b/crates/portal-client/Cargo.toml
@@ -19,7 +19,9 @@ thiserror.workspace = true
 tracing.workspace = true
 tokio = { workspace = true, features = ["sync", "time", "macros", "rt"] }
 tokio-tungstenite.workspace = true
-tokio-util = {workspace = true, features = ["io"] }
+tokio-util = { workspace = true, features = ["io"] }
+rustls-platform-verifier.workspace = true
+rustls.workspace = true
 url.workspace = true
 
 [dev-dependencies]
diff --git a/crates/portal-client/src/lib.rs b/crates/portal-client/src/lib.rs
@@ -3,18 +3,22 @@
 use std::fmt::Debug;
 use std::io::{self, ErrorKind};
 use std::pin::Pin;
-use std::sync::OnceLock;
+use std::sync::{Arc, OnceLock};
 use std::task::{Context, Poll};
 use std::time::{Duration, Instant};
 
 use futures_util::{Sink, Stream, StreamExt as _};
 use matic_portal_types::{ControlMessage, Nexus};
 use pin_project::pin_project;
+use rustls::ClientConfig;
+use rustls_platform_verifier::Verifier;
 use tokio::net::TcpStream;
 use tokio_tungstenite::tungstenite::client::IntoClientRequest;
 use tokio_tungstenite::tungstenite::protocol::Message;
 use tokio_tungstenite::tungstenite::Error as WsError;
-use tokio_tungstenite::{connect_async, MaybeTlsStream, WebSocketStream};
+use tokio_tungstenite::{
+    connect_async_tls_with_config, Connector, MaybeTlsStream, WebSocketStream,
+};
 use url::Url;
 
 mod tunnel_io;
@@ -337,7 +341,15 @@ async fn websocket_connect(url: &str, token: &str) -> Result<TcpWebSocket, WsErr
         "authorization",
         format!("Bearer {}", token).parse().unwrap(),
     );
-    let (websocket, http_response) = connect_async(request).await?;
+    let config = Arc::new(
+        ClientConfig::builder()
+            .dangerous() // The `Verifier` we're using is actually safe
+            .with_custom_certificate_verifier(Arc::new(Verifier::new()))
+            .with_no_client_auth(),
+    );
+    let (websocket, http_response) =
+        connect_async_tls_with_config(request, None, false, Some(Connector::Rustls(config)))
+            .await?;
     tracing::debug!("got http response: {http_response:?}");
     Ok(websocket)
 }
