remove disable cert verification because it panics

client/build.sh

@@ -23,18 +23,20 @@ else
 	WASMOPTFLAGS=""
 fi
 
-mv out/epoxy_client_bg.wasm out/epoxy_client_unoptimized.wasm
-(
-	G="--generate-global-effects"
-	time wasm-opt $WASMOPTFLAGS --enable-threads --enable-bulk-memory --traps-never-happen \
-		out/epoxy_client_unoptimized.wasm -o out/epoxy_client_bg.wasm \
-		--converge \
-		$G --type-unfinalizing $G --type-ssa $G -O4 $G --flatten $G --rereloop $G -O4 $G -O4 $G --type-merging $G --type-finalizing $G -O4 \
-		$G --type-unfinalizing $G --type-ssa $G -Oz $G --flatten $G --rereloop $G -Oz $G -Oz $G --type-merging $G --type-finalizing $G -Oz \
-		$G --abstract-type-refining $G --code-folding $G --const-hoisting $G --dae $G --flatten $G --dfo $G --merge-locals $G --merge-similar-functions --type-finalizing \
-		$G --type-unfinalizing $G --type-ssa $G -O4 $G --flatten $G --rereloop $G -O4 $G -O4 $G --type-merging $G --type-finalizing $G -O4 \
-		$G --type-unfinalizing $G --type-ssa $G -Oz $G --flatten $G --rereloop $G -Oz $G -Oz $G --type-merging $G --type-finalizing $G -Oz 
-)
+if [ "${RELEASE:-0}" = "1" ]; then
+	mv out/epoxy_client_bg.wasm out/epoxy_client_unoptimized.wasm
+	(
+		G="--generate-global-effects"
+		time wasm-opt $WASMOPTFLAGS --enable-threads --enable-bulk-memory \
+			out/epoxy_client_unoptimized.wasm -o out/epoxy_client_bg.wasm \
+			--converge \
+			$G --type-unfinalizing $G --type-ssa $G -O4 $G --flatten $G --rereloop $G -O4 $G -O4 $G --type-merging $G --type-finalizing $G -O4 \
+			$G --type-unfinalizing $G --type-ssa $G -Oz $G --flatten $G --rereloop $G -Oz $G -Oz $G --type-merging $G --type-finalizing $G -Oz \
+			$G --abstract-type-refining $G --code-folding $G --const-hoisting $G --dae $G --flatten $G --dfo $G --merge-locals $G --merge-similar-functions --type-finalizing \
+			$G --type-unfinalizing $G --type-ssa $G -O4 $G --flatten $G --rereloop $G -O4 $G -O4 $G --type-merging $G --type-finalizing $G -O4 \
+			$G --type-unfinalizing $G --type-ssa $G -Oz $G --flatten $G --rereloop $G -Oz $G -Oz $G --type-merging $G --type-finalizing $G -Oz 
+	)
+fi
 echo "[epx] wasm-opt finished"
 
 # === js ===

client/src/lib.rs

@@ -194,7 +194,6 @@ pub struct EpoxyClientOptions {
 	pub redirect_limit: usize,
 	#[wasm_bindgen(getter_with_clone)]
 	pub user_agent: String,
-	pub disable_certificate_validation: bool,
 	#[cfg(feature = "full")]
 	#[wasm_bindgen(getter_with_clone)]
 	pub pem_files: Vec<String>,
@@ -216,7 +215,6 @@ impl Default for EpoxyClientOptions {
             websocket_protocols: Vec::new(),
             redirect_limit: 10,
             user_agent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36".to_string(),
-			disable_certificate_validation: false,
 			#[cfg(feature = "full")]
 			pem_files: Vec::new(),
         }
@@ -350,7 +348,7 @@ impl EpoxyClient {
 			client,
 			redirect_limit: options.redirect_limit,
 			user_agent: options.user_agent,
-			certs_tampered: options.disable_certificate_validation || !options.pem_files.is_empty(),
+			certs_tampered: !options.pem_files.is_empty(),
 		})
 	}
 

client/src/stream_provider.rs

@@ -87,18 +87,9 @@ impl StreamProvider {
 			}
 		}
 
-		let client_config = if options.disable_certificate_validation {
-			ClientConfig::builder()
-				.dangerous()
-				.with_custom_certificate_verifier(Arc::new(NoCertificateVerification(
-					default_provider(),
-				)))
-				.with_no_client_auth()
-		} else {
-			ClientConfig::builder()
-				.with_root_certificates(certstore)
-				.with_no_client_auth()
-		};
+		let client_config = ClientConfig::builder()
+			.with_root_certificates(certstore)
+			.with_no_client_auth();
 		let client_config = Arc::new(client_config);
 
 		Ok(Self {

client/src/utils.rs

@@ -6,21 +6,12 @@ use std::{
 
 use async_trait::async_trait;
 use bytes::{buf::UninitSlice, BufMut, Bytes, BytesMut};
-use futures_rustls::{
-	rustls::{
-		self,
-		client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
-		crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider},
-		DigitallySignedStruct,
-	},
-	TlsStream,
-};
+use futures_rustls::TlsStream;
 use futures_util::{ready, AsyncRead, AsyncWrite, Future, Stream, StreamExt, TryStreamExt};
 use http::{HeaderValue, Uri};
 use hyper::{body::Body, rt::Executor};
 use js_sys::{Array, ArrayBuffer, JsString, Object, Uint8Array};
 use pin_project_lite::pin_project;
-use rustls_pki_types::{CertificateDer, ServerName, UnixTime};
 use send_wrapper::SendWrapper;
 use wasm_bindgen::{prelude::*, JsCast, JsValue};
 use wasm_bindgen_futures::JsFuture;
@@ -314,60 +305,6 @@ impl AsyncWrite for IgnoreCloseNotify {
 	}
 }
 
-#[derive(Debug)]
-pub(crate) struct NoCertificateVerification(pub CryptoProvider);
-
-impl NoCertificateVerification {
-	pub fn new(provider: CryptoProvider) -> Self {
-		Self(provider)
-	}
-}
-
-impl ServerCertVerifier for NoCertificateVerification {
-	fn verify_server_cert(
-		&self,
-		_end_entity: &CertificateDer<'_>,
-		_intermediates: &[CertificateDer<'_>],
-		_server_name: &ServerName<'_>,
-		_ocsp: &[u8],
-		_now: UnixTime,
-	) -> Result<ServerCertVerified, rustls::Error> {
-		Ok(rustls::client::danger::ServerCertVerified::assertion())
-	}
-
-	fn verify_tls12_signature(
-		&self,
-		message: &[u8],
-		cert: &CertificateDer<'_>,
-		dss: &DigitallySignedStruct,
-	) -> Result<HandshakeSignatureValid, rustls::Error> {
-		verify_tls12_signature(
-			message,
-			cert,
-			dss,
-			&self.0.signature_verification_algorithms,
-		)
-	}
-
-	fn verify_tls13_signature(
-		&self,
-		message: &[u8],
-		cert: &CertificateDer<'_>,
-		dss: &DigitallySignedStruct,
-	) -> Result<HandshakeSignatureValid, rustls::Error> {
-		verify_tls13_signature(
-			message,
-			cert,
-			dss,
-			&self.0.signature_verification_algorithms,
-		)
-	}
-
-	fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
-		self.0.signature_verification_algorithms.supported_schemes()
-	}
-}
-
 pub fn is_redirect(code: u16) -> bool {
 	[301, 302, 303, 307, 308].contains(&code)
 }