Switch to native_tls

src/imap_client.rs

@@ -4,12 +4,11 @@ use async_imap::{
     types::{Capabilities, Fetch, Mailbox, Name},
     Client as ImapClient, Session as ImapSession,
 };
+use async_native_tls::TlsStream;
 use async_std::net::{self, TcpStream};
 use async_std::prelude::*;
-use async_std::sync::Arc;
-use async_tls::client::TlsStream;
 
-use crate::login_param::{dc_build_tls_config, CertificateChecks};
+use crate::login_param::{dc_build_tls, CertificateChecks};
 
 #[derive(Debug)]
 pub(crate) enum Client {
@@ -36,9 +35,9 @@ impl Client {
         certificate_checks: CertificateChecks,
     ) -> ImapResult<Self> {
         let stream = TcpStream::connect(addr).await?;
-        let tls_config = dc_build_tls_config(certificate_checks);
-        let tls_connector: async_tls::TlsConnector = Arc::new(tls_config).into();
-        let tls_stream = tls_connector.connect(domain.as_ref(), stream)?.await?;
+        let tls = dc_build_tls(certificate_checks)?;
+        let tls_connector: async_native_tls::TlsConnector = tls.into();
+        let tls_stream = tls_connector.connect(domain.as_ref(), stream).await?;
         let mut client = ImapClient::new(tls_stream);
         if std::env::var(crate::DCC_IMAP_DEBUG).is_ok() {
             client.debug = true;
@@ -74,10 +73,10 @@ impl Client {
     ) -> ImapResult<Client> {
         match self {
             Client::Insecure(client) => {
-                let tls_config = dc_build_tls_config(certificate_checks);
-                let tls: async_tls::TlsConnector = Arc::new(tls_config).into();
+                let tls = dc_build_tls(certificate_checks)?;
+                let tls_stream = tls.into();
 
-                let client_sec = client.secure(domain, &tls).await?;
+                let client_sec = client.secure(domain, &tls_stream).await?;
 
                 Ok(Client::Secure(client_sec))
             }

src/login_param.rs

@@ -4,10 +4,6 @@ use std::borrow::Cow;
 use std::fmt;
 
 use crate::context::Context;
-use async_std::sync::Arc;
-use rustls;
-use webpki;
-use webpki_roots;
 
 #[derive(Copy, Clone, Debug, Display, FromPrimitive)]
 #[repr(i32)]
@@ -262,43 +258,25 @@ fn get_readable_flags(flags: i32) -> String {
     res
 }
 
-pub struct NoCertificateVerification {}
-
-impl rustls::ServerCertVerifier for NoCertificateVerification {
-    fn verify_server_cert(
-        &self,
-        _roots: &rustls::RootCertStore,
-        _presented_certs: &[rustls::Certificate],
-        _dns_name: webpki::DNSNameRef<'_>,
-        _ocsp: &[u8],
-    ) -> Result<rustls::ServerCertVerified, rustls::TLSError> {
-        Ok(rustls::ServerCertVerified::assertion())
-    }
-}
-
-pub fn dc_build_tls_config(certificate_checks: CertificateChecks) -> rustls::ClientConfig {
-    let mut config = rustls::ClientConfig::new();
-    config
-        .root_store
-        .add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
-
+pub fn dc_build_tls(
+    certificate_checks: CertificateChecks,
+) -> Result<native_tls::TlsConnector, native_tls::Error> {
+    let mut tls_builder = native_tls::TlsConnector::builder();
     match certificate_checks {
-        CertificateChecks::Strict => {}
         CertificateChecks::Automatic => {
             // Same as AcceptInvalidCertificates for now.
             // TODO: use provider database when it becomes available
-            config
-                .dangerous()
-                .set_certificate_verifier(Arc::new(NoCertificateVerification {}));
+            tls_builder
+                .danger_accept_invalid_hostnames(true)
+                .danger_accept_invalid_certs(true)
         }
+        CertificateChecks::Strict => &mut tls_builder,
         CertificateChecks::AcceptInvalidCertificates
-        | CertificateChecks::AcceptInvalidCertificates2 => {
-            config
-                .dangerous()
-                .set_certificate_verifier(Arc::new(NoCertificateVerification {}));
-        }
+        | CertificateChecks::AcceptInvalidCertificates2 => tls_builder
+            .danger_accept_invalid_hostnames(true)
+            .danger_accept_invalid_certs(true),
     }
-    config
+    .build()
 }
 
 #[cfg(test)]

src/smtp/mod.rs

@@ -10,7 +10,7 @@ use async_std::task;
 use crate::constants::*;
 use crate::context::Context;
 use crate::events::Event;
-use crate::login_param::{dc_build_tls_config, LoginParam};
+use crate::login_param::{dc_build_tls, LoginParam};
 use crate::oauth2::*;
 
 #[derive(Debug, Fail)]
@@ -29,6 +29,14 @@ pub enum Error {
     ConnectionSetupFailure(#[cause] async_smtp::smtp::error::Error),
     #[fail(display = "SMTP: oauth2 error {:?}", _0)]
     Oauth2Error { address: String },
+    #[fail(display = "TLS error")]
+    Tls(#[cause] native_tls::Error),
+}
+
+impl From<native_tls::Error> for Error {
+    fn from(err: native_tls::Error) -> Error {
+        Error::Tls(err)
+    }
 }
 
 pub type Result<T> = std::result::Result<T, Error>;
@@ -81,7 +89,7 @@ impl Smtp {
         let domain = &lp.send_server;
         let port = lp.send_port as u16;
 
-        let tls_config = dc_build_tls_config(lp.smtp_certificate_checks);
+        let tls_config = dc_build_tls(lp.smtp_certificate_checks)?.into();
         let tls_parameters = ClientTlsParameters::new(domain.to_string(), tls_config);
 
         let (creds, mechanism) = if 0 != lp.server_flags & (DC_LP_AUTH_OAUTH2 as i32) {