Log partial failures of rustls-native-certs

ctz · ctz · commit d8a025de8d5b · 2020-01-26T15:13:49.000Z
Continue if possible.
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "hyper-rustls"
-version = "0.19.1"
+version = "0.19.2"
 edition = "2018"
 authors = ["Joseph Birr-Pixton <jpixton@gmail.com>"]
 license = "Apache-2.0/ISC/MIT"
@@ -11,14 +11,15 @@ repository = "https://github.com/ctz/hyper-rustls"
 
 [dependencies]
 bytes = "0.5.2"
+log = "0.4.4"
 ct-logs = { version = "^0.6.0", optional = true }
 futures-util = "0.3.1"
 hyper = { version = "0.13.0", default-features = false }
 rustls = "0.16"
 tokio = "0.2.4"
 tokio-rustls = "0.12.1"
 webpki = "^0.21.0"
-rustls-native-certs = { version = "^0.1.0", optional = true }
+rustls-native-certs = { version = "0.2.1", optional = true }
 
 [dev-dependencies]
 tokio = { version = "0.2.4", features = ["io-std", "macros", "dns", "stream"] }
diff --git a/README.md b/README.md
@@ -12,6 +12,8 @@ By default clients verify certificates using the `rustls-native-certs` crate, wh
 the platform's root CAs.
 
 # Release history
+- Next release:
+  * Use newer rustls-native-certs which works in presence of invalid certificates.
 - 0.19.1 (2020-01-19):
   * Remove dependency on hyper's tcp feature.
 - 0.19.0 (2019-12-17):
diff --git a/src/connector.rs b/src/connector.rs
@@ -11,6 +11,7 @@ use std::{fmt, io};
 use tokio::io::{AsyncRead, AsyncWrite};
 use tokio_rustls::TlsConnector;
 use webpki::DNSNameRef;
+use log::warn;
 
 use crate::stream::MaybeHttpsStream;
 
@@ -33,8 +34,16 @@ impl HttpsConnector<HttpConnector> {
         http.enforce_http(false);
         let mut config = ClientConfig::new();
         config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
-        config.root_store = rustls_native_certs::load_native_certs()
-            .expect("cannot access native cert store");
+        config.root_store = match rustls_native_certs::load_native_certs() {
+            Ok(store) => store,
+            Err((Some(store), err)) => {
+                warn!("Could not load all certificates: {:?}", err);
+                store
+            }
+            Err((None, err)) => {
+                Err(err).expect("cannot access native cert store")
+            }
+        };
         config.ct_logs = Some(&ct_logs::LOGS);
         HttpsConnector {
             http,
