diff --git a/Cargo.lock b/Cargo.lock index 001c63f606..fd55154966 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1380,11 +1380,11 @@ dependencies = [ "linkerd-tls-test-util", "ring", "rustls-pemfile", + "rustls-webpki", "thiserror", "tokio", "tokio-rustls", "tracing", - "webpki", ] [[package]] @@ -2434,6 +2434,16 @@ dependencies = [ "base64", ] +[[package]] +name = "rustls-webpki" +version = "0.101.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "45a27e3b59326c16e23d30aeb7a36a24cc0d29e71d68ff611cdfb4a01d013bed" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "rustversion" version = "1.0.11" @@ -3114,8 +3124,9 @@ dependencies = [ [[package]] name = "webpki" -version = "0.22.0" -source = "git+https://github.com/linkerd/webpki?branch=cert-dns-names-0.22#a26def03ec88d3b69542ccd2f0073369ecedc4f9" +version = "0.22.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0e74f82d49d545ad128049b7e88f6576df2da6b02e9ce565c6f533be576957e" dependencies = [ "ring", "untrusted", diff --git a/Cargo.toml b/Cargo.toml index 7d7e797707..ffd63c047a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -82,6 +82,5 @@ debug = false lto = true [patch.crates-io] -webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.22" } boring = { git = "https://github.com/cloudflare/boring" } tokio-boring = { git = "https://github.com/cloudflare/boring" } diff --git a/deny.toml b/deny.toml index 0f3474b15a..94ec1293c4 100644 --- a/deny.toml +++ b/deny.toml @@ -69,9 +69,6 @@ skip-tree = [ unknown-registry = "deny" unknown-git = "deny" allow-registry = ["https://github.com/rust-lang/crates.io-index"] -allow-git = ["https://github.com/cloudflare/boring.git"] - -[sources.allow-org] -github = [ - "linkerd", +allow-git = [ + "https://github.com/cloudflare/boring.git", ] diff --git a/linkerd/meshtls/rustls/Cargo.toml b/linkerd/meshtls/rustls/Cargo.toml index 977f4cf899..7a01e3e5ba 100644 --- a/linkerd/meshtls/rustls/Cargo.toml +++ b/linkerd/meshtls/rustls/Cargo.toml @@ -19,11 +19,11 @@ linkerd-tls = { path = "../../tls" } linkerd-tls-test-util = { path = "../../tls/test-util", optional = true } ring = { version = "0.16", features = ["std"] } rustls-pemfile = "1.0" +rustls-webpki = { version = "0.101.5", features = [ "std"] } thiserror = "1" tokio = { version = "1", features = ["macros", "rt", "sync"] } tokio-rustls = { version = "0.23", features = ["dangerous_configuration"] } tracing = "0.1" -webpki = "0.22" [dev-dependencies] linkerd-tls-test-util = { path = "../../tls/test-util" } diff --git a/linkerd/meshtls/rustls/src/creds/store.rs b/linkerd/meshtls/rustls/src/creds/store.rs index d744bbf20e..864222732b 100644 --- a/linkerd/meshtls/rustls/src/creds/store.rs +++ b/linkerd/meshtls/rustls/src/creds/store.rs @@ -239,9 +239,11 @@ impl rustls::server::ResolvesServerCert for CertResolver { hello: rustls::server::ClientHello<'_>, ) -> Option> { let server_name = match hello.server_name() { - Some(name) => webpki::DnsNameRef::try_from_ascii_str(name) - .expect("server name must be a valid server name"), - + Some(name) => { + let name = webpki::DnsNameRef::try_from_ascii_str(name) + .expect("server name must be a valid server name"); + webpki::SubjectNameRef::DnsName(name) + } None => { debug!("no SNI -> no certificate"); return None; @@ -251,7 +253,7 @@ impl rustls::server::ResolvesServerCert for CertResolver { // Verify that our certificate is valid for the given SNI name. let c = self.0.cert.first()?; if let Err(error) = webpki::EndEntityCert::try_from(c.as_ref()) - .and_then(|c| c.verify_is_valid_for_dns_name(server_name)) + .and_then(|c| c.verify_is_valid_for_subject_name(server_name)) { debug!(%error, "Local certificate is not valid for SNI"); return None; diff --git a/linkerd/meshtls/rustls/src/server.rs b/linkerd/meshtls/rustls/src/server.rs index 2cdcb6a381..43b0e63652 100644 --- a/linkerd/meshtls/rustls/src/server.rs +++ b/linkerd/meshtls/rustls/src/server.rs @@ -130,18 +130,13 @@ fn client_identity(tls: &tokio_rustls::server::TlsStream) -> Option { - let s: &str = (*n).into(); - s.parse().ok().map(ClientId) - } - webpki::GeneralDnsNameRef::Wildcard(_) => { - // Wildcards can perhaps be handled in a future path... - None - } + let name: &str = end_cert.dns_names().ok()?.next().map(Into::into)?; + if name == "*" { + // Wildcards can perhaps be handled in a future path... + return None; } + + name.parse().ok().map(ClientId) } // === impl ServerIo ===