Only load roots & root cert if using cert validation

squidowl · Apr 4, 2024 · 364db2e · 364db2e
1 parent 45f3e77
commit 364db2e
Showing 1 changed file with 13 additions and 12 deletions.
diff --git a/irc/src/connection/tls.rs b/irc/src/connection/tls.rs
@@ -20,23 +20,24 @@ pub async fn connect<'a>(
     client_cert_path: Option<&'a PathBuf>,
     client_key_path: Option<&'a PathBuf>,
 ) -> Result<TlsStream<TcpStream>, Error> {
-    let mut roots = rustls::RootCertStore::empty();
-
-    for cert in rustls_native_certs::load_native_certs()? {
-        roots.add(cert).unwrap();
-    }
-    if let Some(cert_path) = root_cert_path {
-        let cert_bytes = fs::read(&cert_path).await?;
-        let certs =
-            rustls_pemfile::certs(&mut Cursor::new(&cert_bytes)).collect::<Result<Vec<_>, _>>()?;
-        roots.add_parsable_certificates(certs);
-    }
-
     let builder = if accept_invalid_certs {
         rustls::ClientConfig::builder()
             .dangerous()
             .with_custom_certificate_verifier(Arc::new(AcceptInvalidCerts))
     } else {
+        let mut roots = rustls::RootCertStore::empty();
+
+        for cert in rustls_native_certs::load_native_certs()? {
+            roots.add(cert).unwrap();
+        }
+
+        if let Some(cert_path) = root_cert_path {
+            let cert_bytes = fs::read(&cert_path).await?;
+            let certs = rustls_pemfile::certs(&mut Cursor::new(&cert_bytes))
+                .collect::<Result<Vec<_>, _>>()?;
+            roots.add_parsable_certificates(certs);
+        }
+
         rustls::ClientConfig::builder().with_root_certificates(roots)
     };