Replace rustls-native-certs with rustls-platform-verifier

pendulum-project · Feb 27, 2025 · 3f83f6d · 3f83f6d
1 parent b91b7bb
commit 3f83f6d
Show file tree

Hide file tree

Showing 13 changed files with 312 additions and 149 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -20,7 +20,7 @@ homepage = "https://github.com/pendulum-project/ntpd-rs"
 readme = "./README.md"
 description = "Full-featured implementation of NTP with NTS support"
 publish = true
-rust-version = "1.70" # MSRV
+rust-version = "1.71" # MSRV
 
 # Because of the async runtime, we really want panics to cause an abort, otherwise
 # the binary can keep on running as a ghost
@@ -39,7 +39,7 @@ serde = { version = "1.0.145", features = ["derive"] }
 serde_json = "1.0"
 rand = "0.8.0"
 arbitrary = { version = "1.0" }
-libc = "0.2.145"
+libc = "0.2.150"
 tokio = "1.32"
 toml = { version = ">=0.6.0,<0.9.0", default-features = false, features = ["parse"] }
 async-trait = "0.1.67"
@@ -51,7 +51,7 @@ pps-time = "0.2.3"
 rustls23 = { package = "rustls", version = "0.23.16", features = ["logging", "std", "tls12"] }
 rustls-pemfile2 = { package = "rustls-pemfile", version = "2.0" }
 rustls-pki-types = "1.10"
-rustls-native-certs7 = { package = "rustls-native-certs", version = "0.7" }
+rustls-platform-verifier = "0.5.0"
 tokio-rustls = { version = "0.26.0", features = ["logging", "tls12"] } # testing only
 
 # crypto

diff --git a/clippy.toml b/clippy.toml
@@ -1 +1 @@
-msrv = "1.70"
+msrv = "1.71"
diff --git a/ntp-proto/Cargo.toml b/ntp-proto/Cargo.toml
@@ -29,7 +29,7 @@ serde.workspace = true
 rustls23.workspace = true
 rustls-pki-types.workspace = true
 rustls-pemfile2.workspace = true
-rustls-native-certs7.workspace = true
+rustls-platform-verifier.workspace = true
 arbitrary = { workspace = true, optional = true }
 aead.workspace = true
 aes-siv.workspace = true

diff --git a/ntp-proto/src/server.rs b/ntp-proto/src/server.rs
@@ -313,13 +313,9 @@ impl<T: std::hash::Hash + Eq> TimestampedCache<T> {
     }
 
     fn index(&self, item: &T) -> usize {
-        use std::hash::{BuildHasher, Hasher};
+        use std::hash::BuildHasher;
 
-        let mut hasher = self.randomstate.build_hasher();
-
-        item.hash(&mut hasher);
-
-        hasher.finish() as usize % self.elements.len()
+        self.randomstate.hash_one(item) as usize % self.elements.len()
     }
 
     fn is_allowed(&mut self, item: T, timestamp: Instant, cutoff: Duration) -> bool {

diff --git a/ntp-proto/src/tls_utils.rs b/ntp-proto/src/tls_utils.rs
@@ -86,15 +86,12 @@ mod rustls23_shim {
     pub type Certificate = rustls23::pki_types::CertificateDer<'static>;
     pub type PrivateKey = rustls23::pki_types::PrivateKeyDer<'static>;
 
+    pub use rustls_platform_verifier::Verifier as PlatformVerifier;
+
     pub mod pemfile {
-        pub use rustls_native_certs7::load_native_certs;
         pub use rustls_pemfile2::certs;
         pub use rustls_pemfile2::pkcs8_private_keys;
         pub use rustls_pemfile2::private_key;
-
-        pub fn rootstore_ref_shim(cert: &super::Certificate) -> super::Certificate {
-            cert.clone()
-        }
     }
 
     pub trait CloneKeyShim {}

diff --git a/ntp-proto/test-keys/end.fullchain.pem b/ntp-proto/test-keys/end.fullchain.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIDsDCCApigAwIBAgIUeLa0dWVwCQr2akxP7Zrw3RDLAF8wDQYJKoZIhvcNAQEL
+MIIDsTCCApmgAwIBAgIUaNuir1ru01VEHIHC8baug66nkbQwDQYJKoZIhvcNAQEL
 BQAwVzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
-GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UEAwwHVGVzdCBDQTAgFw0y
-MzAxMjAwOTQ3MzhaGA80NzYwMTIxNzA5NDczOFowWTELMAkGA1UEBhMCQVUxEzAR
-BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
-IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAsZmqWOnowHpN+nsLk0gqvsmZWPuwMBrnJrlDihyUmMXmf28CDXJL
-/aYDC/3a4EKIAz0uUnH6tCTK6jbmJhouGKnRpo9nS3ee3n0AENgPzcCaBgAoNYMM
-IT7en4a8olRviwKrMCX91fIorbuaUb0VFQ7BgfJhEvXVJinXcxkdTZJ4fztGE5Cy
-iqDGuJ1+EEABmDBrWCOr/gpF5HpAl9m6vbdhEWg3UvM02PAcBAn3z0Eno7O11vEK
-WDjZu6XWRLznY+cFEI0LvF8gLfilC15QgJdtb4+bh5jJsLHCCobBgARBdk50yhbj
-eQBwDOVMm2OJl5/BUl2OYbD/nK9dSUbT6wIDAQABo3AwbjAfBgNVHSMEGDAWgBR3
-Va6VsK3920NVj7trkQittchtpTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAUBgNV
-HREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFGWx6Z2EPXqL6pb+65eD/Dl4do/l
-MA0GCSqGSIb3DQEBCwUAA4IBAQCUEyM1M6EfDOkv9MHL3q1U72JvrKFx6lPDMTWd
-n/tWTILyQejETXWLmCxhle4JwIC+EQfAS6o/EFumgGvKp2xKuM4lS0ccaIBCCkjf
-bKkB5WxLppHPznxpv33f1DcU4WRNewBDra3FqJSGYGVjuHAPu4dZbPmU2bqhA22g
-0tdwFZyDC3b32CY40m8gbR7VvcymMufyOeLWImR6GVCm5N6SUVpYEPbL2PFHkvnq
-Z6SALFAeH/Um/uPsWemBPfxMXjq5dDKWaaigiC4wxdfpPqAfORrYbRWcCOoYQv2U
-9BO4LkL8OYBtG0IFuWU9eKpchFZgXbDjeoHFqBHz40yQ2yhk
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UEAwwHVGVzdCBDQTAeFw0y
+NTAyMjcwOTA3MTJaFw0yNjAyMjcwOTA3MTJaMEUxCzAJBgNVBAYTAkFVMRMwEQYD
+VQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM
+dGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDd0nhS+SWqtQMyIMuX
+/WMopeUH6u+WljlUEXpxZQKa3KL0+3r4byo51D8R6OF05zG3ANw4NCSMKfRBpK/+
+wb/QvVFi4Ib8wmrNJI019UE/gzbnDfg5QaMvztusAHZF2wkELRjgX/DdVBWXkQ1W
+jA9052XyPZs+zTbVg6Am6n3GOmKoCI2n0TIY9sKG+ZCJFfE+TzQU0z7r9OnvnT0Z
+BZ4poOgG8GbxTCr3dRfM+tLh8MLLMOZ3CKunGaMHD4zdeDm4l7fYZ6/jXVoZrbio
+2/uj9+KjhhKi+xTIBc8zug91piotN0uCuxdawgt0EtjaO4czQoLl3D/WNNSez4rl
+HLeVAgMBAAGjgYYwgYMwHwYDVR0jBBgwFoAUd1WulbCt/dtDVY+7a5EIrbXIbaUw
+CQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFAYD
+VR0RBA0wC4IJbG9jYWxob3N0MB0GA1UdDgQWBBT18h+AQlYckl0KMVOGK14oPlsM
+NDANBgkqhkiG9w0BAQsFAAOCAQEAm6ZnJcT3IfF+1Y8P0NjkqG/U5CyPmEstwyFX
+zxnRP9ILmtQ2l+9V10KQ+STNKqyQWsfJ/+F71nKjOBzkS8cHDidVDZ1Y/3JoLByf
+sIbdA6XQVMLCNKDgLCJ33h8r0yDiucu1RRKQUIdMyLHnhNbPQtMpdFq8B2CjOi36
+tD36Ah/nAzVDCxUg2wvcc/aLqmMyZVmFqjjDtOqLlPQIJ4iiUT2MYw7avqVWq8br
+t0+3ezAGkMuTqjsBiTM/ov6l7OS12hFL/u+kA4lG38UuCkLoDjjG5QEu9d4q347l
+Y3C1v7K1YDXkXmX28sRQgAqzKVfTIRcbcvKgu4jx4EIhSjaNug==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIDkTCCAnmgAwIBAgIUSJ4RLbU532cpXBrIPM0dgLjFoRowDQYJKoZIhvcNAQEL

diff --git a/ntp-proto/test-keys/end.key b/ntp-proto/test-keys/end.key
@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCxmapY6ejAek36
-ewuTSCq+yZlY+7AwGucmuUOKHJSYxeZ/bwINckv9pgML/drgQogDPS5Scfq0JMrq
-NuYmGi4YqdGmj2dLd57efQAQ2A/NwJoGACg1gwwhPt6fhryiVG+LAqswJf3V8iit
-u5pRvRUVDsGB8mES9dUmKddzGR1Nknh/O0YTkLKKoMa4nX4QQAGYMGtYI6v+CkXk
-ekCX2bq9t2ERaDdS8zTY8BwECffPQSejs7XW8QpYONm7pdZEvOdj5wUQjQu8XyAt
-+KULXlCAl21vj5uHmMmwscIKhsGABEF2TnTKFuN5AHAM5UybY4mXn8FSXY5hsP+c
-r11JRtPrAgMBAAECggEASD/QKe22bx8SO/T0h40TPpw60xVI3rkDEiDKFhR8aw4P
-MAZT2m6F9YEkuisicJsAQ/kOsCGIMOLK3a9Jv3RlDkl/bXfnOK9IJRDLBw8ulrBk
-uE42DVbrh1bRMCqa8JrS6cVDKQo7kl66J7srE1eNjQx8skWNMi5p8OWSrVMpNZXT
-1jGXFHpHkZz4i5TSeovSKMPRHEpXB3QQRIV7izysxtyQiBgHyCgmxwva5vjRZGQN
-BZyZzDcxpRTVR8B8JvUoxKpNSFatPD2+d0JT/g8a26uLymJbwI+K6bDzTY900xR6
-ufH0pcw0nCgryAHp1Zt8+1hC43nblnnOxJwAJ6ad0QKBgQDgCCvcrlNO5AxsgkmT
-CRaSSIoaUF8+QZIhXXUL6wsdGKba5vND8Rjzdow4Ewy4vO/KGH7vvj9sv1mtV2bu
-kkHk5y6uA2FjUnbGHBxnHzv/mbNa3+q8sYFVF/QqTektqRXdLo98ButOZhTQX6I5
-6EIWHvLDeOlgczDcNPBJ5ZdziQKBgQDK8Vt3goNSCqWTsb+4OFS+KsS6Ncakxu9E
-rdWM2m8TSx5z71Jzp3Lj28rVmPrI5bFhwLFxWcHfipRP+xE1uo2Ga8CqXy6UuvVp
-1hbvzltwecAPeEzPD5hs7pWK7DmKLL3iUnl537CREP4UVwKCrHkt4xLZCaiTv5wn
-m2D36WVK0wKBgQCO0Ua8+TjMmx68cdZbcLi96pZ3rfL5qi1xLbX3MhC0rMl51S8R
-ifphAprjCGncvz2SNUl+pmaied2+XnCU+BIfzaz5a9hCzAhBxRvqNYQ3LpGjBgoL
-3pDXYVzbNy3GWPtCNHNuGq8ZHIR6Te0KQ2EV3wbdzA/i16w3RVxFj6KcGQKBgQCG
-7PjW+Bq/DP0QuPiyTiFpXZ31/5LWMr0ZeEmmoAOBXEwe4Fp9MjMccyDj6hWyQ6Qv
-TaGrrvVK3iPFGTNT+XfmivVJUIbzs2k+uGv/e78nhIrAvkay07ePlQAvoOaQizaj
-phnFgYcuq5GBjGfK4UifzXzWd6lwsc/sNU2/BZmmqQKBgQCD2PevU6thArwydWc3
-ALP+1VvS37n6XOp1ywqECNhUI2rJ8ShbIlF/kbB9ylPnei14cnn4oP04HP9ZFXkR
-yx+OWiTAepvQUFjIXDst+CIUVmeFhE5RcHpOyHioDA6eQ88fzE6sTOC0SvZFF04u
-+O3oaJs+4jqY2DpsCuqYZjBEug==
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDd0nhS+SWqtQMy
+IMuX/WMopeUH6u+WljlUEXpxZQKa3KL0+3r4byo51D8R6OF05zG3ANw4NCSMKfRB
+pK/+wb/QvVFi4Ib8wmrNJI019UE/gzbnDfg5QaMvztusAHZF2wkELRjgX/DdVBWX
+kQ1WjA9052XyPZs+zTbVg6Am6n3GOmKoCI2n0TIY9sKG+ZCJFfE+TzQU0z7r9Onv
+nT0ZBZ4poOgG8GbxTCr3dRfM+tLh8MLLMOZ3CKunGaMHD4zdeDm4l7fYZ6/jXVoZ
+rbio2/uj9+KjhhKi+xTIBc8zug91piotN0uCuxdawgt0EtjaO4czQoLl3D/WNNSe
+z4rlHLeVAgMBAAECggEAQ3Y8sONkEMA/ahHuSVm/PAAEIT3SwuYKJmawaecx/R4o
+E0CeXAsW+QJzcgN0+gRMKt+AmjlFejlSN1qaSezr5NSG+X7Wnu2T5LL+nU/rGaFS
+479sZCFxu1r6lRuI3OLqIZKDk82p5+4oKPHs8ArlsoSjjSIuYlGwIQyIev1q5guP
+sfzi2cYAHc6rySDBCtFmP9yIxwdhkYRIrDqGWGbtrGIsguyuOUjQHbkidX5FaWjs
+wj4ApcrYsFQcS/aeEWKqn0wjYTbm+MXXjfao5mAe+1jrPYXyvYs0GpkC3pt+rjS9
+XO4pohuFEnAvrxZ9JX0DEsnvUoi5C38TB2A/LRboewKBgQD0Z2ZTvTwk+fUb9IRD
+MRNCWuB8+eiHNZwTRx4v9ZHJQ9blfXirDV0thzV2loYvW1uI91iL4SIWLH1d/O5Z
+WtwrrTBtzKjiQaeIqopzJH/a1enm8vSTDuazb/n2nmfe49ZBkfgdCnBEEGu4HuZZ
+viPAdLTWLjimsiXOrBtzJBCFXwKBgQDoWMkoj+Lkx9ZGe3x5KqPMHI8UkEolsLXd
+dyC8qLLtQJKIGbJj+uk2I0cYnyTfVNi+nOu+Rt2EK187wkMid1encnxqUyDsKoBJ
+XGiSs9mqyc32DvGOH9X2heQ0FrnbNlaYozdW5jjXafFlV8dnpoX7wQnjMg329qDB
+2zVSainTiwKBgBNSPU+vbRrLO+pa2T3qmkgroQWgSBawUUdg3u0Rr9XGbC22TpzP
+MKeRwdM/MRp7UXAxhamBQc2Y9MxCW6Fqwm8dgO+dN1izsgfm240gvI7TTGt6l4Us
+r2ZOGue5PCLtxhlm7cN1+MwYtDtZDgLYOkFTuJwaCVZ8TOraxkzC9B9nAoGATPbk
+I4COKzSbIRvUnppmSb2IE8q8FQIVLDhC6tuC8Z47K8Q/WGkMCXfkHB7TavtDFNkM
+Kip1REvNrxDphig8K+Z7mgjRVgm6FxL6POZAixdwFzrZ/zdCe/fcIPkKNbgpNUST
+l0CJwamBYg2Sqx35Mey+5rh08cK+e5iucA9krYMCgYBe+4fUD9GC+GUjnsyzkjDT
+oNKbsFMcYrjLld9nQdeX2oViWudqU7cGlk3mwpWyX81UkEc1LRcnE3/FSdd4Pj1t
+xMUjq+fMXF2Au4w1NTZ4Exp6Vk8mz9gmsNuFfLKOKnr8x/MT89kYr7+959WlB0jE
+0ayKuXuHxFpY1rDFSJabaw==
 -----END PRIVATE KEY-----
diff --git a/ntp-proto/test-keys/end.pem b/ntp-proto/test-keys/end.pem
@@ -1,22 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDsDCCApigAwIBAgIUeLa0dWVwCQr2akxP7Zrw3RDLAF8wDQYJKoZIhvcNAQEL
+MIIDsTCCApmgAwIBAgIUaNuir1ru01VEHIHC8baug66nkbQwDQYJKoZIhvcNAQEL
 BQAwVzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
-GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UEAwwHVGVzdCBDQTAgFw0y
-MzAxMjAwOTQ3MzhaGA80NzYwMTIxNzA5NDczOFowWTELMAkGA1UEBhMCQVUxEzAR
-BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
-IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAsZmqWOnowHpN+nsLk0gqvsmZWPuwMBrnJrlDihyUmMXmf28CDXJL
-/aYDC/3a4EKIAz0uUnH6tCTK6jbmJhouGKnRpo9nS3ee3n0AENgPzcCaBgAoNYMM
-IT7en4a8olRviwKrMCX91fIorbuaUb0VFQ7BgfJhEvXVJinXcxkdTZJ4fztGE5Cy
-iqDGuJ1+EEABmDBrWCOr/gpF5HpAl9m6vbdhEWg3UvM02PAcBAn3z0Eno7O11vEK
-WDjZu6XWRLznY+cFEI0LvF8gLfilC15QgJdtb4+bh5jJsLHCCobBgARBdk50yhbj
-eQBwDOVMm2OJl5/BUl2OYbD/nK9dSUbT6wIDAQABo3AwbjAfBgNVHSMEGDAWgBR3
-Va6VsK3920NVj7trkQittchtpTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAUBgNV
-HREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFGWx6Z2EPXqL6pb+65eD/Dl4do/l
-MA0GCSqGSIb3DQEBCwUAA4IBAQCUEyM1M6EfDOkv9MHL3q1U72JvrKFx6lPDMTWd
-n/tWTILyQejETXWLmCxhle4JwIC+EQfAS6o/EFumgGvKp2xKuM4lS0ccaIBCCkjf
-bKkB5WxLppHPznxpv33f1DcU4WRNewBDra3FqJSGYGVjuHAPu4dZbPmU2bqhA22g
-0tdwFZyDC3b32CY40m8gbR7VvcymMufyOeLWImR6GVCm5N6SUVpYEPbL2PFHkvnq
-Z6SALFAeH/Um/uPsWemBPfxMXjq5dDKWaaigiC4wxdfpPqAfORrYbRWcCOoYQv2U
-9BO4LkL8OYBtG0IFuWU9eKpchFZgXbDjeoHFqBHz40yQ2yhk
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UEAwwHVGVzdCBDQTAeFw0y
+NTAyMjcwOTA3MTJaFw0yNjAyMjcwOTA3MTJaMEUxCzAJBgNVBAYTAkFVMRMwEQYD
+VQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM
+dGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDd0nhS+SWqtQMyIMuX
+/WMopeUH6u+WljlUEXpxZQKa3KL0+3r4byo51D8R6OF05zG3ANw4NCSMKfRBpK/+
+wb/QvVFi4Ib8wmrNJI019UE/gzbnDfg5QaMvztusAHZF2wkELRjgX/DdVBWXkQ1W
+jA9052XyPZs+zTbVg6Am6n3GOmKoCI2n0TIY9sKG+ZCJFfE+TzQU0z7r9OnvnT0Z
+BZ4poOgG8GbxTCr3dRfM+tLh8MLLMOZ3CKunGaMHD4zdeDm4l7fYZ6/jXVoZrbio
+2/uj9+KjhhKi+xTIBc8zug91piotN0uCuxdawgt0EtjaO4czQoLl3D/WNNSez4rl
+HLeVAgMBAAGjgYYwgYMwHwYDVR0jBBgwFoAUd1WulbCt/dtDVY+7a5EIrbXIbaUw
+CQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFAYD
+VR0RBA0wC4IJbG9jYWxob3N0MB0GA1UdDgQWBBT18h+AQlYckl0KMVOGK14oPlsM
+NDANBgkqhkiG9w0BAQsFAAOCAQEAm6ZnJcT3IfF+1Y8P0NjkqG/U5CyPmEstwyFX
+zxnRP9ILmtQ2l+9V10KQ+STNKqyQWsfJ/+F71nKjOBzkS8cHDidVDZ1Y/3JoLByf
+sIbdA6XQVMLCNKDgLCJ33h8r0yDiucu1RRKQUIdMyLHnhNbPQtMpdFq8B2CjOi36
+tD36Ah/nAzVDCxUg2wvcc/aLqmMyZVmFqjjDtOqLlPQIJ4iiUT2MYw7avqVWq8br
+t0+3ezAGkMuTqjsBiTM/ov6l7OS12hFL/u+kA4lG38UuCkLoDjjG5QEu9d4q347l
+Y3C1v7K1YDXkXmX28sRQgAqzKVfTIRcbcvKgu4jx4EIhSjaNug==
 -----END CERTIFICATE-----
diff --git a/ntp-proto/test-keys/gen-cert.sh b/ntp-proto/test-keys/gen-cert.sh
@@ -6,7 +6,7 @@
 # Because this script generate keys without passwords set, they should only be used in a development setting.
 
 if [ -z "$1" ]; then
-	echo "usage: gen-cert.sh name-of-server [ca-name]"
+	echo "usage: gen-cert.sh name-of-server [ca-name] [filename]"
 	echo
 	echo "This will generate a name-of-server.key, name-of-server.pem and name-of-server.chain.pem file"
 	echo "containing the private key, public certificate, and full certificate chain (respectively)"
@@ -18,29 +18,31 @@ fi
 
 NAME="${1:-ntpd-rs.test}"
 CA="${2:-testca}"
+FILENAME="${3:-$NAME}"
 
 # generate a key
-openssl genrsa -out "$NAME".key 2048
+openssl genrsa -out "$FILENAME".key 2048
 
 # generate a certificate signing request
-openssl req -batch -new -key "$NAME".key -out "$NAME".csr
+openssl req -batch -new -key "$FILENAME".key -out "$FILENAME".csr
 
 # generate an ext file
-cat >> "$NAME".ext <<EOF
+cat >> "$FILENAME".ext <<EOF
 authorityKeyIdentifier=keyid,issuer
 basicConstraints=CA:FALSE
-keyUsage = keyEncipherment
+keyUsage = digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage = serverAuth
 subjectAltName = @alt_names
 
 [alt_names]
 DNS.1 = $NAME
 EOF
 
 # generate the signed certificate with the provided CA
-openssl x509 -req -in "$NAME".csr -CA "$CA".pem -CAkey "$CA".key -CAcreateserial -out "$NAME".pem -days 1825 -sha256 -extfile "$NAME".ext
+openssl x509 -req -in "$FILENAME".csr -CA "$CA".pem -CAkey "$CA".key -CAcreateserial -out "$FILENAME".pem -days 365 -sha256 -extfile "$FILENAME".ext
 
 # generate the full certificate chain version
-cat "$NAME".pem "$CA".pem > "$NAME".chain.pem
+cat "$FILENAME".pem "$CA".pem > "$FILENAME".fullchain.pem
 
 # cleanup
-rm "$NAME".csr
+rm "$FILENAME".csr
diff --git a/ntpd/src/daemon/keyexchange.rs b/ntpd/src/daemon/keyexchange.rs
@@ -26,29 +26,15 @@ use super::exitcode;
 async fn build_client_config(
     extra_certificates: &[Certificate],
 ) -> Result<tls_utils::ClientConfig, KeyExchangeError> {
-    let mut roots = tokio::task::spawn_blocking(move || {
-        let mut roots = tls_utils::RootCertStore::empty();
-        for cert in tls_utils::pemfile::load_native_certs()? {
-            roots
-                .add(tls_utils::pemfile::rootstore_ref_shim(&cert))
-                .map_err(KeyExchangeError::Certificate)?;
-        }
-        Ok::<_, KeyExchangeError>(roots)
-    })
-    .await
-    .expect("Unexpected error while loading root certificates")?;
-
-    for cert in extra_certificates {
-        roots
-            .add(tls_utils::pemfile::rootstore_ref_shim(cert))
-            .map_err(KeyExchangeError::Certificate)?;
-    }
-
-    Ok(
-        tls_utils::client_config_builder_with_protocol_versions(&[&TLS13])
-            .with_root_certificates(roots)
-            .with_no_client_auth(),
-    )
+    let builder = tls_utils::client_config_builder_with_protocol_versions(&[&TLS13]);
+    let provider = builder.crypto_provider().clone();
+    let verifier =
+        tls_utils::PlatformVerifier::new_with_extra_roots(extra_certificates.iter().cloned())?
+            .with_provider(provider);
+    Ok(builder
+        .dangerous()
+        .with_custom_certificate_verifier(Arc::new(verifier))
+        .with_no_client_auth())
 }
 
 pub(crate) async fn key_exchange_client(

diff --git a/nts-pool-ke/Cargo.toml b/nts-pool-ke/Cargo.toml
@@ -11,7 +11,7 @@ publish.workspace = true
 rust-version.workspace = true
 
 [package.metadata.cargo-udeps.ignore]
-normal = [ "ntp-proto", "rustls-native-certs7", "rustls-pemfile2", "rustls23", "serde", "tokio-rustls", "toml", "tracing", "tracing-subscriber" ]
+normal = [ "ntp-proto", "rustls-platform-verifier", "rustls-pemfile2", "rustls23", "serde", "tokio-rustls", "toml", "tracing", "tracing-subscriber" ]
 
 [dependencies]
 tokio = { workspace = true, features = ["rt-multi-thread", "io-util", "fs", "net", "macros", "time" ] }
@@ -20,7 +20,7 @@ tracing.workspace = true
 tracing-subscriber = { version = "0.3.0", default-features = false, features = ["std", "fmt", "ansi"] }
 rustls23.workspace = true
 rustls-pemfile2.workspace = true
-rustls-native-certs7.workspace = true
+rustls-platform-verifier.workspace = true
 serde.workspace = true
 ntp-proto = { workspace = true }
 tokio-rustls.workspace = true

diff --git a/nts-pool-ke/src/lib.rs b/nts-pool-ke/src/lib.rs
@@ -1,7 +1,6 @@
 #[cfg(feature = "unstable_nts-pool")]
 mod condcompile {
     extern crate rustls23 as rustls;
-    extern crate rustls_native_certs7 as rustls_native_certs;
     extern crate rustls_pemfile2 as rustls_pemfile;
 
     mod cli;
@@ -22,6 +21,7 @@ mod condcompile {
         pki_types::{CertificateDer, ServerName},
         version::TLS13,
     };
+    use rustls_platform_verifier::Verifier;
     use tokio::{
         io::{AsyncReadExt, AsyncWriteExt},
         net::{TcpListener, ToSocketAddrs},
@@ -458,19 +458,14 @@ mod condcompile {
         certificate_chain: Vec<rustls::pki_types::CertificateDer<'static>>,
         private_key: rustls::pki_types::PrivateKeyDer<'static>,
     ) -> Result<tokio_rustls::TlsConnector, KeyExchangeError> {
-        let mut roots = rustls::RootCertStore::empty();
-        for cert in rustls_native_certs::load_native_certs()? {
-            roots.add(cert).map_err(KeyExchangeError::Certificate)?;
-        }
-
-        for cert in extra_certificates {
-            roots
-                .add(cert.clone())
-                .map_err(KeyExchangeError::Certificate)?;
-        }
-
-        let config = rustls::ClientConfig::builder_with_protocol_versions(&[&TLS13])
-            .with_root_certificates(roots)
+        let builder = rustls::ClientConfig::builder_with_protocol_versions(&[&TLS13]);
+        let provider = builder.crypto_provider().clone();
+        let verifier = Verifier::new_with_extra_roots(extra_certificates.iter().cloned())?
+            .with_provider(provider);
+
+        let config = builder
+            .dangerous()
+            .with_custom_certificate_verifier(Arc::new(verifier))
             .with_client_auth_cert(certificate_chain, private_key)
             .unwrap();