[pve-devel] applied: [PATCH 1/2] openid connect: http client: use TlS platform verifier

Thomas Lamprecht t.lamprecht at proxmox.com
Mon Jul 21 18:52:32 CEST 2025


As otherwise a valid cert from Let's Encrypt got rejected as insecure
TLS.

It might be better to switch to proxmox-http sync client here, which
is ureq but better maintained code and less duplication.

Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
 proxmox-openid/src/http_client.rs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/proxmox-openid/src/http_client.rs b/proxmox-openid/src/http_client.rs
index 7d383d5d..904a5bac 100755
--- a/proxmox-openid/src/http_client.rs
+++ b/proxmox-openid/src/http_client.rs
@@ -37,7 +37,12 @@ pub enum Error {
 }
 
 fn ureq_agent() -> Result<ureq::Agent, Error> {
-    let mut config = ureq::Agent::config_builder();
+    let mut config = ureq::Agent::config_builder().tls_config(
+        ureq::tls::TlsConfig::builder()
+            .provider(ureq::tls::TlsProvider::NativeTls)
+            .root_certs(ureq::tls::RootCerts::PlatformVerifier)
+            .build(),
+    );
     if let Ok(val) = env::var("all_proxy").or_else(|_| env::var("ALL_PROXY")) {
         let proxy = ureq::Proxy::new(&val).map_err(Box::new)?;
         config = config.proxy(Some(proxy));
-- 
2.47.2





More information about the pve-devel mailing list