rtcompat: remove Letsencrypt/Rustls kludge (!3006) · Merge requests · The Tor Project / Core / Arti

Closes #2004 (closed)

Makes some minor adjustments to the custom rustls Verifier in rtcompat to remove an unnecessary workaround and delete some related code/files that are no longer needed.

TLDR; it's not necessary to instantiate a client::WebPkiServerVerifier here, so the kludge that was used to get it's builder to succeed by adding an unused Letsencrypt root certificate isn't needed and can be removed. The relevant methods the Verifier needs (verify_tls12_signature and verify_tls12_signature) can be called directly via the rustls::crypto crate, and the Verifier just needs an instance of the CryptoProvider's WebPkiSupportedAlgorithms.

For reference, the relevant bits of source code in rustls crate are here:

https://github.com/rustls/rustls/blob/main/rustls/src/webpki/server_verifier.rs#L134
https://github.com/rustls/rustls/blob/main/rustls/src/webpki/verify.rs#L155

Edited May 20, 2025 by retort-dev

rtcompat: remove Letsencrypt/Rustls kludge

Merge request reports