mirror of
https://github.com/chatmail/core.git
synced 2026-04-17 21:46:35 +03:00
cb4b992204
Apparently some providers fail TLS connection with "no_application_protocol" alert even when requesting "imap" protocol for IMAP connection and "smtp" protocol for SMTP connection. Fixes <https://github.com/deltachat/deltachat-core-rust/issues/5892>.
55 lines
1.5 KiB
Rust
55 lines
1.5 KiB
Rust
//! TLS support.
|
|
|
|
use anyhow::Result;
|
|
use async_native_tls::{Certificate, Protocol, TlsConnector, TlsStream};
|
|
use once_cell::sync::Lazy;
|
|
use tokio::io::{AsyncRead, AsyncWrite};
|
|
|
|
// this certificate is missing on older android devices (eg. lg with android6 from 2017)
|
|
// certificate downloaded from https://letsencrypt.org/certificates/
|
|
static LETSENCRYPT_ROOT: Lazy<Certificate> = Lazy::new(|| {
|
|
Certificate::from_der(include_bytes!(
|
|
"../../assets/root-certificates/letsencrypt/isrgrootx1.der"
|
|
))
|
|
.unwrap()
|
|
});
|
|
|
|
pub fn build_tls(strict_tls: bool, alpns: &[&str]) -> TlsConnector {
|
|
let tls_builder = TlsConnector::new()
|
|
.min_protocol_version(Some(Protocol::Tlsv12))
|
|
.request_alpns(alpns)
|
|
.add_root_certificate(LETSENCRYPT_ROOT.clone());
|
|
|
|
if strict_tls {
|
|
tls_builder
|
|
} else {
|
|
tls_builder
|
|
.danger_accept_invalid_hostnames(true)
|
|
.danger_accept_invalid_certs(true)
|
|
}
|
|
}
|
|
|
|
pub async fn wrap_tls<T: AsyncRead + AsyncWrite + Unpin>(
|
|
strict_tls: bool,
|
|
hostname: &str,
|
|
alpn: &[&str],
|
|
stream: T,
|
|
) -> Result<TlsStream<T>> {
|
|
let tls = build_tls(strict_tls, alpn);
|
|
let tls_stream = tls.connect(hostname, stream).await?;
|
|
Ok(tls_stream)
|
|
}
|
|
|
|
#[cfg(test)]
|
|
mod tests {
|
|
use super::*;
|
|
|
|
#[test]
|
|
fn test_build_tls() {
|
|
// we are using some additional root certificates.
|
|
// make sure, they do not break construction of TlsConnector
|
|
let _ = build_tls(true, &[]);
|
|
let _ = build_tls(false, &[]);
|
|
}
|
|
}
|