Bug 1807884 - Update warp to 0.3.3. r=webdriver-reviewers,supply-chain-reviewers,whimboo

Differential Revision: https://phabricator.services.mozilla.com/D165651

.cargo/config.in

@@ -30,6 +30,11 @@ git = "https://github.com/gfx-rs/wgpu"
 rev = "186a29c34d54d8628bbebb998a537210ac565b71"
 replace-with = "vendored-sources"
 
+[source."https://github.com/glandium/warp"]
+git = "https://github.com/glandium/warp"
+rev = "4af45fae95bc98b0eba1ef0db17e1dac471bb23d"
+replace-with = "vendored-sources"
+
 [source."https://github.com/hsivonen/chardetng"]
 git = "https://github.com/hsivonen/chardetng"
 rev = "3484d3e3ebdc8931493aa5df4d7ee9360a90e76b"

Cargo.lock

@@ -2455,7 +2455,7 @@ dependencies = [
  "indexmap",
  "slab",
  "tokio 1.17.0",
- "tokio-util 0.7.2",
+ "tokio-util",
  "tracing",
 ]
 
@@ -5509,13 +5509,6 @@ dependencies = [
  "tokio-executor",
 ]
 
-[[package]]
-name = "tokio-util"
-version = "0.6.999"
-dependencies = [
- "tokio-util 0.7.2",
-]
-
 [[package]]
 name = "tokio-util"
 version = "0.7.2"
@@ -6020,9 +6013,8 @@ dependencies = [
 
 [[package]]
 name = "warp"
-version = "0.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3cef4e1e9114a4b7f1ac799f16ce71c14de5778500c5450ec6b7b920c55b587e"
+version = "0.3.3"
+source = "git+https://github.com/glandium/warp?rev=4af45fae95bc98b0eba1ef0db17e1dac471bb23d#4af45fae95bc98b0eba1ef0db17e1dac471bb23d"
 dependencies = [
  "bytes 1.3.0",
  "futures-channel",
@@ -6041,7 +6033,7 @@ dependencies = [
  "serde_urlencoded",
  "tokio 1.17.0",
  "tokio-stream",
- "tokio-util 0.6.999",
+ "tokio-util",
  "tower-service",
  "tracing",
 ]

Cargo.toml

@@ -104,9 +104,6 @@ memmap2 = { path = "build/rust/memmap2" }
 # Patch getrandom 0.7 to 0.8
 rand = { path = "build/rust/rand" }
 
-# Patch tokio-util 0.6 to 0.7
-tokio-util = { path = "build/rust/tokio-util" }
-
 # Patch env_logger 0.8 to 0.9
 env_logger = { path = "build/rust/env_logger" }
 
@@ -164,6 +161,8 @@ libudev-sys = { path = "dom/webauthn/libudev-sys" }
 packed_simd = { package = "packed_simd_2", git = "https://github.com/hsivonen/packed_simd", rev="412f9a0aa556611de021bde89dee8fefe6e0fbbd" }
 midir = { git = "https://github.com/mozilla/midir.git", rev = "519e651241e867af3391db08f9ae6400bc023e18" }
 minidump_writer_linux = { git = "https://github.com/rust-minidump/minidump-writer.git", rev = "75ada456c92a429704691a85e1cb42fef8cafc0d" }
+# warp 0.3.3 + https://github.com/seanmonstar/warp/pull/1007
+warp = { git = "https://github.com/glandium/warp", rev = "4af45fae95bc98b0eba1ef0db17e1dac471bb23d" }
 
 # application-services overrides to make updating them all simpler.
 interrupt-support = { git = "https://github.com/mozilla/application-services", rev = "51b984ecb21ba00694c3eee33364123a064a7cbb" }

build/rust/tokio-util/Cargo.toml

@@ -1,24 +0,0 @@
-[package]
-name = "tokio-util"
-version = "0.6.999"
-edition = "2018"
-license = "MPL-2.0"
-
-[lib]
-path = "lib.rs"
-
-[dependencies.tokio-util]
-version = "0.7"
-default-features = false
-
-[features]
-__docs_rs = ["tokio-util/__docs_rs"]
-codec = ["tokio-util/codec"]
-compat = ["tokio-util/compat"]
-default = ["tokio-util/default"]
-full = ["tokio-util/full"]
-io = ["tokio-util/io"]
-io-util = ["tokio-util/io-util"]
-net = ["tokio-util/net"]
-rt = ["tokio-util/rt"]
-time = ["tokio-util/time"]

build/rust/tokio-util/lib.rs

@@ -1,5 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-pub use tokio_util::*;

supply-chain/audits.toml

@@ -2266,6 +2266,11 @@ criteria = "safe-to-deploy"
 version = "1.0.2"
 notes = "Very small crate, just hosts the Void type for easier cross-crate interfacing."
 
+[[audits.warp]]
+who = "Mike Hommey <mh+mozilla@glandium.org>"
+criteria = "safe-to-run"
+delta = "0.3.2 -> 0.3.3"
+
 [[audits.wasm-encoder]]
 who = "Ryan Hunt <rhunt@eqrion.net>"
 criteria = "safe-to-deploy"

supply-chain/config.toml

@@ -178,6 +178,10 @@ notes = "This is a first-party crate, normally vendored, but currently patched i
 audit-as-crates-io = false
 notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name."
 
+[policy.warp]
+audit-as-crates-io = true
+notes = "This is a third-party crate, with an extra patch."
+
 [policy.webdriver]
 audit-as-crates-io = false
 criteria = "safe-to-run"

third_party/rust/warp/.github/FUNDING.yml

@@ -0,0 +1 @@
+github: [seanmonstar]

third_party/rust/warp/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,36 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Version**
+List the versions of all `warp` crates you are using. The easiest way to get
+this information is using `cargo-tree`.
+
+`cargo install cargo-tree`
+(see install here: https://github.com/sfackler/cargo-tree)
+
+Then:
+
+`cargo tree | grep warp`
+
+**Platform**
+The output of `uname -a` (UNIX), or version and 32 or 64-bit (Windows)
+
+**Description**
+Enter your issue details here.
+One way to structure the description:
+
+[short summary of the bug]
+
+I tried this code:
+
+[code sample that causes the bug]
+
+I expected to see this happen: [explanation]
+
+Instead, this happened: [explanation]

third_party/rust/warp/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,6 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Question
+    url: https://discord.gg/RFsPjyt
+    about: 'Please post your question on the #warp discord channel. You may
+           also be able to find help at https://users.rust-lang.org/.'

third_party/rust/warp/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: feature
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

third_party/rust/warp/.github/workflows/ci.yml

@@ -0,0 +1,97 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+
+jobs:
+  style:
+    name: Check Style
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v1
+
+      - name: Install rust
+        uses: actions-rs/toolchain@v1
+        with:
+          toolchain: stable
+          components: rustfmt
+          profile: minimal
+          override: true
+
+      - name: cargo fmt -- --check
+        uses: actions-rs/cargo@v1
+        with:
+          command: fmt
+          args: --all -- --check
+
+  test:
+    name: Test
+    needs: [style]
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        build: [stable, beta, nightly, tls, no-default-features, compression]
+
+        include:
+          - build: beta
+            rust: beta
+          - build: nightly
+            rust: nightly
+            benches: true
+          - build: tls
+            features: "--features tls"
+          - build: no-default-features
+            features: "--no-default-features"
+          - build: compression
+            features: "--features compression"
+
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v1
+
+      - name: Install rust
+        uses: actions-rs/toolchain@v1
+        with:
+          toolchain: ${{ matrix.rust || 'stable' }}
+          profile: minimal
+          override: true
+
+      - name: Test
+        uses: actions-rs/cargo@v1
+        with:
+          command: test
+          args: ${{ matrix.features }}
+
+      - name: Test all benches
+        if: matrix.benches
+        uses: actions-rs/cargo@v1
+        with:
+          command: test
+          args: --benches ${{ matrix.features }}
+
+  doc:
+    name: Build docs
+    needs: [style, test]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v1
+
+      - name: Install Rust
+        uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: nightly
+          override: true
+
+      - name: cargo doc
+        uses: actions-rs/cargo@v1
+        with:
+          command: rustdoc
+          args: -- -D broken_intra_doc_links

third_party/rust/warp/CHANGELOG.md

@@ -1,3 +1,8 @@
+### v0.3.3 (September 27, 2022)
+
+- **Fixes**:
+  - Fix `fs` filters path sanitization to reject colons on Windows.
+
 ### v0.3.2 (November 9, 2021)
 
 - **Features**:
@@ -316,4 +321,4 @@
 
 ## v0.1.0 (August 1, 2018)
 
-- Intial release.
+- Initial release.

third_party/rust/warp/Cargo.toml

@@ -1,38 +1,84 @@
-# THIS FILE IS AUTOMATICALLY GENERATED BY CARGO
-#
-# When uploading crates to the registry Cargo will automatically
-# "normalize" Cargo.toml files for maximal compatibility
-# with all versions of Cargo and also rewrite `path` dependencies
-# to registry (e.g., crates.io) dependencies.
-#
-# If you are reading this file be aware that the original Cargo.toml
-# will likely look very different (and much more reasonable).
-# See Cargo.toml.orig for the original contents.
-
 [package]
-edition = "2018"
 name = "warp"
-version = "0.3.2"
-authors = ["Sean McArthur <sean@seanmonstar.com>"]
-autoexamples = true
-autotests = true
+version = "0.3.3" # don't forget to update html_root_url
 description = "serve the web at warp speeds"
-documentation = "https://docs.rs/warp"
-readme = "README.md"
-keywords = ["warp", "server", "http", "hyper"]
-categories = ["web-programming::http-server"]
+authors = ["Sean McArthur <sean@seanmonstar.com>"]
 license = "MIT"
+readme = "README.md"
+documentation = "https://docs.rs/warp"
 repository = "https://github.com/seanmonstar/warp"
+categories = ["web-programming::http-server"]
+keywords = ["warp", "server", "http", "hyper"]
+autotests = true
+autoexamples = true
+edition = "2018"
+
 [package.metadata.docs.rs]
 all-features = true
-[profile.bench]
-codegen-units = 1
-incremental = false
+
+[dependencies]
+async-compression = { version = "0.3.7", features = ["tokio"], optional = true }
+bytes = "1.0"
+futures-util = { version = "0.3", default-features = false, features = ["sink"] }
+futures-channel = { version = "0.3.17", features = ["sink"]}
+headers = "0.3"
+http = "0.2"
+hyper = { version = "0.14", features = ["stream", "server", "http1", "http2", "tcp", "client"] }
+log = "0.4"
+mime = "0.3"
+mime_guess = "2.0.0"
+multipart = { version = "0.18", default-features = false, features = ["server"], optional = true }
+scoped-tls = "1.0"
+serde = "1.0"
+serde_json = "1.0"
+serde_urlencoded = "0.7"
+tokio = { version = "1.0", features = ["fs", "sync", "time"] }
+tokio-stream = "0.1.1"
+tokio-util = { version = "0.7", features = ["io"] }
+tracing = { version = "0.1.21", default-features = false, features = ["log", "std"] }
+tower-service = "0.3"
+tokio-tungstenite = { version = "0.17", optional = true }
+percent-encoding = "2.1"
+pin-project = "1.0"
+tokio-rustls = { version = "0.23", optional = true }
+rustls-pemfile = { version = "0.2", optional = true }
+
+[dev-dependencies]
+pretty_env_logger = "0.4"
+tracing-subscriber = "0.2.7"
+tracing-log = "0.1"
+serde_derive = "1.0"
+handlebars = "4.0"
+tokio = { version = "1.0", features = ["macros", "rt-multi-thread"] }
+tokio-stream = { version = "0.1.1", features = ["net"] }
+listenfd = "0.3"
+
+[features]
+default = ["multipart", "websocket"]
+websocket = ["tokio-tungstenite"]
+tls = ["tokio-rustls", "rustls-pemfile"]
+
+# Enable compression-related filters
+compression = ["compression-brotli", "compression-gzip"]
+compression-brotli = ["async-compression/brotli"]
+compression-gzip = ["async-compression/deflate", "async-compression/gzip"]
 
 [profile.release]
 codegen-units = 1
 incremental = false
 
+[profile.bench]
+codegen-units = 1
+incremental = false
+
+[[test]]
+name = "multipart"
+required-features = ["multipart"]
+
+[[test]]
+name = "ws"
+required-features = ["websocket"]
+
 [[example]]
 name = "compression"
 required-features = ["compression"]
@@ -50,130 +96,3 @@ required-features = ["websocket"]
 
 [[example]]
 name = "query_string"
-
-[[test]]
-name = "multipart"
-required-features = ["multipart"]
-
-[[test]]
-name = "ws"
-required-features = ["websocket"]
-[dependencies.async-compression]
-version = "0.3.7"
-features = ["tokio"]
-optional = true
-
-[dependencies.bytes]
-version = "1.0"
-
-[dependencies.futures-channel]
-version = "0.3.17"
-features = ["sink"]
-
-[dependencies.futures-util]
-version = "0.3"
-features = ["sink"]
-default-features = false
-
-[dependencies.headers]
-version = "0.3"
-
-[dependencies.http]
-version = "0.2"
-
-[dependencies.hyper]
-version = "0.14"
-features = ["stream", "server", "http1", "http2", "tcp", "client"]
-
-[dependencies.log]
-version = "0.4"
-
-[dependencies.mime]
-version = "0.3"
-
-[dependencies.mime_guess]
-version = "2.0.0"
-
-[dependencies.multipart]
-version = "0.18"
-features = ["server"]
-optional = true
-default-features = false
-
-[dependencies.percent-encoding]
-version = "2.1"
-
-[dependencies.pin-project]
-version = "1.0"
-
-[dependencies.scoped-tls]
-version = "1.0"
-
-[dependencies.serde]
-version = "1.0"
-
-[dependencies.serde_json]
-version = "1.0"
-
-[dependencies.serde_urlencoded]
-version = "0.7"
-
-[dependencies.tokio]
-version = "1.0"
-features = ["fs", "sync", "time"]
-
-[dependencies.tokio-rustls]
-version = "0.22"
-optional = true
-
-[dependencies.tokio-stream]
-version = "0.1.1"
-
-[dependencies.tokio-tungstenite]
-version = "0.15"
-optional = true
-
-[dependencies.tokio-util]
-version = "0.6"
-features = ["io"]
-
-[dependencies.tower-service]
-version = "0.3"
-
-[dependencies.tracing]
-version = "0.1.21"
-features = ["log", "std"]
-default-features = false
-[dev-dependencies.handlebars]
-version = "4.0"
-
-[dev-dependencies.listenfd]
-version = "0.3"
-
-[dev-dependencies.pretty_env_logger]
-version = "0.4"
-
-[dev-dependencies.serde_derive]
-version = "1.0"
-
-[dev-dependencies.tokio]
-version = "1.0"
-features = ["macros", "rt-multi-thread"]
-
-[dev-dependencies.tokio-stream]
-version = "0.1.1"
-features = ["net"]
-
-[dev-dependencies.tracing-log]
-version = "0.1"
-
-[dev-dependencies.tracing-subscriber]
-version = "0.2.7"
-
-[features]
-compression = ["compression-brotli", "compression-gzip"]
-compression-brotli = ["async-compression/brotli"]
-compression-gzip = ["async-compression/deflate", "async-compression/gzip"]
-default = ["multipart", "websocket"]
-tls = ["tokio-rustls"]
-websocket = ["tokio-tungstenite"]

third_party/rust/warp/src/filters/fs.rs

@@ -123,7 +123,10 @@ fn sanitize_path(base: impl AsRef<Path>, tail: &str) -> Result<PathBuf, Rejectio
             tracing::warn!("dir: rejecting segment starting with '..'");
             return Err(reject::not_found());
         } else if seg.contains('\\') {
-            tracing::warn!("dir: rejecting segment containing with backslash (\\)");
+            tracing::warn!("dir: rejecting segment containing backslash (\\)");
+            return Err(reject::not_found());
+        } else if cfg!(windows) && seg.contains(':') {
+            tracing::warn!("dir: rejecting segment containing colon (:)");
             return Err(reject::not_found());
         } else {
             buf.push(seg);

third_party/rust/warp/src/filters/trace.rs

@@ -238,35 +238,39 @@ mod internal {
     use tracing::Span;
 
     fn finished_logger<E: IsReject>(reply: &Result<(Traced,), E>) {
-        match reply {
-            Ok((Traced(resp),)) => {
-                tracing::info!(target: "warp::filters::trace", status = resp.status().as_u16(), "finished processing with success");
-            }
-            Err(e) if e.status().is_server_error() => {
-                tracing::error!(
-                    target: "warp::filters::trace",
-                    status = e.status().as_u16(),
-                    error = ?e,
-                    "unable to process request (internal error)"
-                );
-            }
-            Err(e) if e.status().is_client_error() => {
-                tracing::warn!(
-                    target: "warp::filters::trace",
-                    status = e.status().as_u16(),
-                    error = ?e,
-                    "unable to serve request (client error)"
-                );
-            }
-            Err(e) => {
-                // Either informational or redirect
-                tracing::info!(
-                    target: "warp::filters::trace",
-                    status = e.status().as_u16(),
-                    result = ?e,
+        let (status, error) = match reply {
+            Ok((Traced(resp),)) => (resp.status(), None),
+            Err(error) => (error.status(), Some(error)),
+        };
+
+        if status.is_success() {
+            tracing::info!(
+                target: "warp::filters::trace",
+                status = status.as_u16(),
+                "finished processing with success"
+            );
+        } else if status.is_server_error() {
+            tracing::error!(
+                target: "warp::filters::trace",
+                status = status.as_u16(),
+                error = ?error,
+                "unable to process request (internal error)"
+            );
+        } else if status.is_client_error() {
+            tracing::warn!(
+                target: "warp::filters::trace",
+                status = status.as_u16(),
+                error = ?error,
+                "unable to serve request (client error)"
+            );
+        } else {
+            // Either informational or redirect
+            tracing::info!(
+                target: "warp::filters::trace",
+                status = status.as_u16(),
+                error = ?error,
                     "finished processing with status"
-                );
-            }
+            );
         }
     }
 

third_party/rust/warp/src/filters/ws.rs

@@ -373,6 +373,7 @@ impl Message {
             protocol::Message::Ping(ref v) => v,
             protocol::Message::Pong(ref v) => v,
             protocol::Message::Close(_) => &[],
+            protocol::Message::Frame(ref frame) => frame.payload(),
         }
     }
 

third_party/rust/warp/src/lib.rs

@@ -1,4 +1,4 @@
-#![doc(html_root_url = "https://docs.rs/warp/0.3.2")]
+#![doc(html_root_url = "https://docs.rs/warp/0.3.3")]
 #![deny(missing_docs)]
 #![deny(missing_debug_implementations)]
 #![deny(rust_2018_idioms)]

third_party/rust/warp/src/reject.rs

@@ -28,7 +28,7 @@
 //! #[derive(Debug)]
 //! struct InvalidParameter;
 //!
-//! impl reject::Reject for InvalidParameter {};
+//! impl reject::Reject for InvalidParameter {}
 //!
 //! // Custom rejection handler that maps rejections into responses.
 //! async fn handle_rejection(err: Rejection) -> Result<impl Reply, std::convert::Infallible> {
@@ -42,23 +42,18 @@
 //!     }
 //! }
 //!
-//! #[tokio::main]
-//! async fn main() {
 //!
-//!     // Filter on `/:id`, but reject with InvalidParameter if the `id` is `0`.
-//!     // Recover from this rejection using a custom rejection handler.
-//!     let route = warp::path::param()
-//!         .and_then(|id: u32| async move {
-//!             if id == 0 {
-//!                 Err(warp::reject::custom(InvalidParameter))
-//!             } else {
-//!                 Ok("id is valid")
-//!             }
-//!         })
-//!         .recover(handle_rejection);
-//!
-//!     warp::serve(route).run(([127, 0, 0, 1], 3030)).await;
-//! }
+//! // Filter on `/:id`, but reject with InvalidParameter if the `id` is `0`.
+//! // Recover from this rejection using a custom rejection handler.
+//! let route = warp::path::param()
+//!     .and_then(|id: u32| async move {
+//!         if id == 0 {
+//!             Err(warp::reject::custom(InvalidParameter))
+//!         } else {
+//!             Ok("id is valid")
+//!         }
+//!     })
+//!     .recover(handle_rejection);
 //! ```
 
 use std::any::Any;

third_party/rust/warp/src/test.rs

@@ -48,7 +48,7 @@
 //!
 //!     // Or simply test if a request matches (doesn't reject).
 //!     assert!(
-//!         !warp::test::request()
+//!         warp::test::request()
 //!             .path("/1/-5")
 //!             .matches(&filter)
 //!             .await

third_party/rust/warp/src/tls.rs

@@ -15,8 +15,8 @@ use hyper::server::conn::{AddrIncoming, AddrStream};
 
 use crate::transport::Transport;
 use tokio_rustls::rustls::{
-    AllowAnyAnonymousOrAuthenticatedClient, AllowAnyAuthenticatedClient, NoClientAuth,
-    RootCertStore, ServerConfig, TLSError,
+    server::{AllowAnyAnonymousOrAuthenticatedClient, AllowAnyAuthenticatedClient, NoClientAuth},
+    Certificate, Error as TlsError, PrivateKey, RootCertStore, ServerConfig,
 };
 
 /// Represents errors that can occur building the TlsConfig
@@ -32,7 +32,7 @@ pub(crate) enum TlsConfigError {
     /// An error from an empty key
     EmptyKey,
     /// An error from an invalid key
-    InvalidKey(TLSError),
+    InvalidKey(TlsError),
 }
 
 impl fmt::Display for TlsConfigError {
@@ -169,8 +169,11 @@ impl TlsConfigBuilder {
 
     pub(crate) fn build(mut self) -> Result<ServerConfig, TlsConfigError> {
         let mut cert_rdr = BufReader::new(self.cert);
-        let cert = tokio_rustls::rustls::internal::pemfile::certs(&mut cert_rdr)
-            .map_err(|()| TlsConfigError::CertParseError)?;
+        let cert = rustls_pemfile::certs(&mut cert_rdr)
+            .map_err(|_e| TlsConfigError::CertParseError)?
+            .into_iter()
+            .map(Certificate)
+            .collect();
 
         let key = {
             // convert it to Vec<u8> to allow reading it again if key is RSA
@@ -183,21 +186,17 @@ impl TlsConfigBuilder {
                 return Err(TlsConfigError::EmptyKey);
             }
 
-            let mut pkcs8 = tokio_rustls::rustls::internal::pemfile::pkcs8_private_keys(
-                &mut key_vec.as_slice(),
-            )
-            .map_err(|()| TlsConfigError::Pkcs8ParseError)?;
+            let mut pkcs8 = rustls_pemfile::pkcs8_private_keys(&mut key_vec.as_slice())
+                .map_err(|_e| TlsConfigError::Pkcs8ParseError)?;
 
             if !pkcs8.is_empty() {
-                pkcs8.remove(0)
+                PrivateKey(pkcs8.remove(0))
             } else {
-                let mut rsa = tokio_rustls::rustls::internal::pemfile::rsa_private_keys(
-                    &mut key_vec.as_slice(),
-                )
-                .map_err(|()| TlsConfigError::RsaParseError)?;
+                let mut rsa = rustls_pemfile::rsa_private_keys(&mut key_vec.as_slice())
+                    .map_err(|_e| TlsConfigError::RsaParseError)?;
 
                 if !rsa.is_empty() {
-                    rsa.remove(0)
+                    PrivateKey(rsa.remove(0))
                 } else {
                     return Err(TlsConfigError::EmptyKey);
                 }
@@ -207,13 +206,18 @@ impl TlsConfigBuilder {
         fn read_trust_anchor(
             trust_anchor: Box<dyn Read + Send + Sync>,
         ) -> Result<RootCertStore, TlsConfigError> {
-            let mut reader = BufReader::new(trust_anchor);
+            let trust_anchors = {
+                let mut reader = BufReader::new(trust_anchor);
+                rustls_pemfile::certs(&mut reader).map_err(TlsConfigError::Io)?
+            };
+
             let mut store = RootCertStore::empty();
-            if let Ok((0, _)) | Err(()) = store.add_pem_file(&mut reader) {
-                Err(TlsConfigError::CertParseError)
-            } else {
-                Ok(store)
+            let (added, _skipped) = store.add_parsable_certificates(&trust_anchors);
+            if added == 0 {
+                return Err(TlsConfigError::CertParseError);
             }
+
+            Ok(store)
         }
 
         let client_auth = match self.client_auth {
@@ -226,11 +230,12 @@ impl TlsConfigBuilder {
             }
         };
 
-        let mut config = ServerConfig::new(client_auth);
-        config
-            .set_single_cert_with_ocsp_and_sct(cert, key, self.ocsp_resp, Vec::new())
-            .map_err(|err| TlsConfigError::InvalidKey(err))?;
-        config.set_protocols(&["h2".into(), "http/1.1".into()]);
+        let mut config = ServerConfig::builder()
+            .with_safe_defaults()
+            .with_client_cert_verifier(client_auth.into())
+            .with_single_cert_with_ocsp_and_sct(cert, key, self.ocsp_resp, Vec::new())
+            .map_err(TlsConfigError::InvalidKey)?;
+        config.alpn_protocols = vec!["h2".into(), "http/1.1".into()];
         Ok(config)
     }
 }