Check platform/system TLS certificates #7460
Description
Are there plans to support platform TLS certificates for verifying the IMAP server? I would like to use Delta Chat with an IMAP server verified by custom certificates installed under /etc on Fedora; however currently in Automatic and Strict modes, I get an UnknownIssuer error. I would rather not have to select AcceptInvalidCertificates.
I tested cargo add rustls-platform-verifier and the following patch:
diff --git a/src/net/tls.rs b/src/net/tls.rs
index fce4abcb9..58193bdf7 100644
--- a/src/net/tls.rs
+++ b/src/net/tls.rs
@@ -9,6 +9,8 @@
use tokio_rustls::rustls::client::ClientSessionStore;
+use rustls_platform_verifier::BuilderVerifierExt;
+
pub async fn wrap_tls<'a>(
strict_tls: bool,
hostname: &str,
@@ -94,11 +96,8 @@ pub async fn wrap_rustls<'a>(
stream: impl SessionStream + 'a,
tls_session_store: &TlsSessionStore,
) -> Result<impl SessionStream + 'a> {
- let mut root_cert_store = tokio_rustls::rustls::RootCertStore::empty();
- root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
-
let mut config = tokio_rustls::rustls::ClientConfig::builder()
- .with_root_certificates(root_cert_store)
+ .with_platform_verifier()?
.with_no_client_auth();
config.alpn_protocols = if alpn.is_empty() {
vec![]on my setup and it seemed to work (I patched v2.22.0 then built and swapped deltachat-rpc-client under the v2.22.0 deltachat-desktop RPM). That said, I know there may be too many portability implications of using system certificates, and mine is sort of a niche use case, so feel free to close this as "won't fix".