resolver: err for dns-over-rustls w/o roots #2179
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Now addressed separately in #2181 |
If we find that we've constructed a Rustls root cert store that has no trust anchors, return an early error. This makes the problem obvious and avoids surfacing some other less specific error cause when we first try to validate a peer certificate with an empty root store. In order for our new early error to be surfaced correctly the `name_sever_pool.rs` `parallel_conn_loop` fn needs its error handling adjusted. Previously it would always compare the new error produced by trying to build the TLS config against the default error it starts its loop with, `ProtoErrorKind::NoConnections`. Since the error being returned is another `ProtoErrorKind`, and the error specificity comparison considers two `ProtoErrorKinds` equivalent in the general case, the default error was always returned and the new error thrown away.
cpu
force-pushed
the
cpu-err-no-rustls-roots
branch
from
b2d2ce1
to
cf30a1e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If we're setting up dns-over-rustls and find that we've constructed a Rustls root cert store that has no trust anchors, return an early error. This makes the problem obvious and avoids surfacing some other less specific error cause when we first try to validate a peer certificate with an empty root store.
In order for our new early error to be surfaced correctly the
name_sever_pool.rsparallel_conn_loopfn needs its error handling adjusted. Previously it would always compare the new error produced by trying to build the TLS config against the default error it starts its loop with,ProtoErrorKind::NoConnections. Since the error being returned is anotherProtoErrorKindthat isn'tNoRecordsFound,Io, orTimeoutthe error specificity comparison considers the two errors equivalent in the general case, and the default error was always returned and the new error thrown away.There is still a small mystery around why a more specific error from tokio-rustls isn't returned when peer validation inevitably fails. In my testing upstream we get a niceSee my comment here I think this is a side-effect of theio::Errorlikeerr: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) }. I can't figure out where or why, but something in the Hickory DNS stack is reducing this down to just a simple io error with typeInvalidData- no nested source error or message.Cloneimpl onProtoErrorKind.Updates #2066