[pve-devel] [PATCH installer] common: http: add custom ureq connector for cert-fingerprint validation

Christoph Heiss c.heiss at proxmox.com
Wed Jun 25 14:22:01 CEST 2025 

Adds back custom TLS fingerprint validation for ureq 3. The API was
changed majorly, no longer providing the possibility to directly provide
a rustls `ClientConfig` to the agent.

Instead, a complete custom transport + connector must be provided to
ureq to achieve this.

Mostly based on ureq#1085 [0], which provides a example how to implement
something like this.

[0] https://github.com/algesten/ureq/pull/1085

Fixes: 2557dbf ("common: initial upgrade to ureq 3 and rustls 0.23")
Signed-off-by: Christoph Heiss <c.heiss at proxmox.com>
---
 proxmox-installer-common/src/http.rs | 145 +++++++++++++++++++++++++--
 1 file changed, 135 insertions(+), 10 deletions(-)

diff --git a/proxmox-installer-common/src/http.rs b/proxmox-installer-common/src/http.rs
index 08b9663..7662673 100644
--- a/proxmox-installer-common/src/http.rs
+++ b/proxmox-installer-common/src/http.rs
@@ -1,10 +1,17 @@
 use anyhow::Result;
-use rustls::ClientConfig;
 use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
+use rustls::{ClientConfig, ClientConnection, StreamOwned};
 use sha2::{Digest, Sha256};
-use std::io::Read;
+use std::fmt;
+use std::io::{Read, Write};
 use std::sync::Arc;
+use std::time::Duration;
 use ureq::Agent;
+use ureq::unversioned::resolver::DefaultResolver;
+use ureq::unversioned::transport::{
+    Buffers, ConnectionDetails, Connector, Either, LazyBuffers, NextTimeout, TcpConnector,
+    Transport, TransportAdapter,
+};
 
 /// Builds an [`Agent`] with TLS suitable set up, depending whether a custom fingerprint was
 /// supplied or not. If a fingerprint was supplied, only matching certificates will be accepted.
@@ -18,19 +25,34 @@ use ureq::Agent;
 /// # Arguments
 /// * `fingerprint` - SHA256 cert fingerprint if certificate pinning should be used. Optional.
 fn build_agent(fingerprint: Option<&str>) -> Result<Agent> {
+    const GLOBAL_TIMEOUT: Duration = Duration::from_secs(60);
+
     if let Some(fingerprint) = fingerprint {
-        let tls_config = ClientConfig::builder()
+        // If the user specified a custom TLS fingerprint, we must use a custom
+        // `rustls::ClientConfig`, which in turns means to use a custom
+        // `Connector`.
+        let crypto_provider = rustls::crypto::CryptoProvider::get_default()
+            .cloned()
+            .unwrap_or_else(|| Arc::new(rustls::crypto::ring::default_provider()));
+
+        let tls_config = ClientConfig::builder_with_provider(crypto_provider)
+            .with_protocol_versions(rustls::ALL_VERSIONS)?
             .dangerous()
             .with_custom_certificate_verifier(VerifyCertFingerprint::new(fingerprint)?)
             .with_no_client_auth();
 
-        Ok(Agent::config_builder()
-            //.tls_config(tls_config) // FIXME: add custom ureq connector to manage rustls
-            .build()
-            .into())
+        let connector = UreqRustlsConnector::new(Arc::new(tls_config));
+
+        Ok(Agent::with_parts(
+            ureq::config::Config::builder()
+                .timeout_global(Some(GLOBAL_TIMEOUT))
+                .build(),
+            TcpConnector::default().chain(connector),
+            DefaultResolver::default(),
+        ))
     } else {
         Ok(Agent::config_builder()
-            .timeout_global(Some(std::time::Duration::from_secs(60)))
+            .timeout_global(Some(GLOBAL_TIMEOUT))
             .tls_config(
                 ureq::tls::TlsConfig::builder()
                     .root_certs(ureq::tls::RootCerts::PlatformVerifier)
@@ -59,8 +81,7 @@ pub fn get_as_bytes(url: &str, fingerprint: Option<&str>, max_size: usize) -> Re
 
     let (_, body) = build_agent(fingerprint)?.get(url).call()?.into_parts();
 
-    body
-        .into_reader()
+    body.into_reader()
         .take(max_size as u64)
         .read_to_end(&mut result)?;
 
@@ -158,3 +179,107 @@ impl rustls::client::danger::ServerCertVerifier for VerifyCertFingerprint {
             .supported_schemes()
     }
 }
+
+/// Mostly a copy of [ureq::unversioned::transport::RustlsConnector], with the exception of using
+/// our custom [ClientConfig].
+#[derive(Debug)]
+struct UreqRustlsConnector {
+    /// [ClientConfig] to use for the TLS connection(s).
+    config: Arc<ClientConfig>,
+}
+
+impl UreqRustlsConnector {
+    fn new(config: Arc<ClientConfig>) -> Self {
+        UreqRustlsConnector { config }
+    }
+}
+
+impl<In: Transport> Connector<In> for UreqRustlsConnector {
+    type Out = Either<In, UreqRustlsTransport>;
+
+    fn connect(
+        &self,
+        details: &ConnectionDetails,
+        chained: Option<In>,
+    ) -> Result<Option<Self::Out>, ureq::Error> {
+        let Some(transport) = chained else {
+            panic!("RustlConnector requires a chained transport");
+        };
+
+        if !details.needs_tls() || transport.is_tls() {
+            return Ok(Some(Either::A(transport)));
+        }
+
+        let name: ServerName<'_> = details
+            .uri
+            .authority()
+            .ok_or(ureq::Error::Tls("no naming authority for URI"))?
+            .host()
+            .try_into()
+            .map_err(|_| ureq::Error::Tls("invalid dns name"))?;
+
+        let conn = ClientConnection::new(self.config.clone(), name.to_owned())?;
+        let stream = StreamOwned {
+            conn,
+            sock: TransportAdapter::new(transport.boxed()),
+        };
+
+        let buffers = LazyBuffers::new(
+            details.config.input_buffer_size(),
+            details.config.output_buffer_size(),
+        );
+
+        let transport = UreqRustlsTransport { buffers, stream };
+
+        Ok(Some(Either::B(transport)))
+    }
+}
+
+/// Direct copy of ureq/tls/rustls.rs:RustlsTransport, which unfortunately is not
+/// made public by the crate.
+struct UreqRustlsTransport {
+    buffers: LazyBuffers,
+    stream: StreamOwned<ClientConnection, TransportAdapter>,
+}
+
+impl Transport for UreqRustlsTransport {
+    fn buffers(&mut self) -> &mut dyn Buffers {
+        &mut self.buffers
+    }
+
+    fn transmit_output(&mut self, amount: usize, timeout: NextTimeout) -> Result<(), ureq::Error> {
+        self.stream.get_mut().set_timeout(timeout);
+
+        let output = &self.buffers.output()[..amount];
+        self.stream.write_all(output)?;
+
+        Ok(())
+    }
+
+    fn await_input(&mut self, timeout: NextTimeout) -> Result<bool, ureq::Error> {
+        self.stream.get_mut().set_timeout(timeout);
+
+        let input = self.buffers.input_append_buf();
+        let amount = self.stream.read(input)?;
+        self.buffers.input_appended(amount);
+
+        Ok(amount > 0)
+    }
+
+    fn is_open(&mut self) -> bool {
+        self.stream.get_mut().get_mut().is_open()
+    }
+
+    fn is_tls(&self) -> bool {
+        true
+    }
+}
+
+impl fmt::Debug for UreqRustlsTransport {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("RustlsTransport")
+            .field("chained", &self.stream.sock.inner())
+            .field("buffers", &self.buffers)
+            .finish()
+    }
+}
-- 
2.49.0

More information about the pve-devel mailing list