no functional change intended, since the callback there should implement
the same behavior.
With this, we can drop the dependency on itertools.
Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
---
Cargo.toml | 3 +--
src/main.rs | 67 +++++++++++++++++++++--------------------------------
2 files changed, 28 insertions(+), 42 deletions(-)
diff --git a/Cargo.toml b/Cargo.toml
index 02ac3d1..99cb5d4 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -17,7 +17,6 @@ hex = "0.4"
http = "1"
hyper = "1"
hyper-util = "0.1"
-itertools = "0.13"
openssl = "0.10"
percent-encoding = "2"
serde = { version = "1.0", features = ["derive"] }
@@ -26,5 +25,5 @@ tokio = { version = "1", features = ["io-std", "io-util",
"macros", "rt-multi-th
tokio-stream = { version = "0.1", features = ["io-util"] }
tokio-util = "0.7"
-proxmox-http = { version = "1", features = ["websocket", "client"] }
+proxmox-http = { version = "1", features = ["websocket", "client", "tls"] }
proxmox-sys = "1"
diff --git a/src/main.rs b/src/main.rs
index 6d86575..4328d64 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -25,7 +25,7 @@ use tokio_stream::StreamExt;
use proxmox_http::client::HttpsConnector;
use proxmox_http::websocket::{OpCode, WebSocket, WebSocketReader,
WebSocketWriter};
-use proxmox_http::Body;
+use proxmox_http::{Body, SslVerifyError};
#[derive(Serialize, Deserialize, Debug)]
#[serde(rename_all = "kebab-case")]
@@ -142,48 +142,35 @@ impl CtrlTunnel {
}
let mut ssl_connector_builder =
SslConnector::builder(SslMethod::tls())?;
- if let Some(expected) = fingerprint {
+ if fingerprint.is_some() {
ssl_connector_builder.set_verify_callback(
openssl::ssl::SslVerifyMode::PEER,
- move |_valid, ctx| {
- let cert = match ctx.current_cert() {
- Some(cert) => cert,
- None => {
- // should not happen
- eprintln!("SSL context lacks current
certificate.");
- return false;
- }
- };
-
- // skip CA certificates, we only care about the peer cert
- let depth = ctx.error_depth();
- if depth != 0 {
- return true;
- }
-
- use itertools::Itertools;
- let fp = match
cert.digest(openssl::hash::MessageDigest::sha256()) {
- Ok(fp) => fp,
- Err(err) => {
- // should not happen
- eprintln!("failed to calculate certificate FP -
{}", err);
- return false;
+ move |valid, ctx| match proxmox_http::openssl_verify_callback(
+ valid,
+ ctx,
+ fingerprint.as_deref(),
+ ) {
+ Ok(()) => true,
+ Err(err) => {
+ match err {
+ SslVerifyError::NoCertificate => {
+ eprintln!("SSL context lacks current
certificate");
+ }
+ SslVerifyError::InvalidFingerprint(err) => {
+ eprintln!("failed to calculate certificate FP
- {err}")
+ }
+ SslVerifyError::FingerprintMismatch {
+ fingerprint,
+ expected,
+ } => {
+ eprintln!(
+ "certificate fingerprint does not match
expected fingerprint!"
+ );
+ eprintln!("expected: {expected}");
+ eprintln!("encountered: {fingerprint}");
+ }
+ SslVerifyError::UntrustedCertificate { .. } => {}
}
- };
- let fp_string = hex::encode(fp);
- let fp_string = fp_string
- .as_bytes()
- .chunks(2)
- .map(|v| unsafe { std::str::from_utf8_unchecked(v) })
- .join(":");
-
- let expected = expected.to_lowercase();
- if expected == fp_string {
- true
- } else {
- eprintln!("certificate fingerprint does not match
expected fingerprint!");
- eprintln!("expected: {}", expected);
- eprintln!("encountered: {}", fp_string);
false
}
},
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
