From f22e67be4c2d04b967db6512bad1ad09f338d395 Mon Sep 17 00:00:00 2001
From: Jacob Hoffman-Andrews <github@hoffman-andrews.com>
Date: Wed, 20 Oct 2021 16:55:17 -0700
Subject: [PATCH] Fix agent test.

---
 Cargo.toml           |  1 +
 src/agent.rs         | 16 ++++++++++++++--
 tests/https-agent.rs | 29 ++++++++++++++++++++---------
 3 files changed, 35 insertions(+), 11 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index da55364..ac26488 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -44,6 +44,7 @@ log = "0.4"
 serde = { version = "1", features = ["derive"] }
 env_logger = "0.9"
 rustls = { version = "0.20", features = ["dangerous_configuration"] }
+rustls-pemfile = { version = "0.2" }
 
 [[example]]
 name = "smoke-test"
diff --git a/src/agent.rs b/src/agent.rs
index 897a2cb..2568377 100644
--- a/src/agent.rs
+++ b/src/agent.rs
@@ -474,9 +474,21 @@ impl AgentBuilder {
     /// # fn main() -> Result<(), ureq::Error> {
     /// # ureq::is_test(true);
     /// use std::sync::Arc;
-    /// let tls_config = Arc::new(rustls::ClientConfig::new());
+    /// let mut root_store = rustls::RootCertStore::empty();
+    /// root_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
+    ///     rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
+    ///         ta.subject,
+    ///         ta.spki,
+    ///         ta.name_constraints,
+    ///     )
+    /// }));
+    ///
+    /// let tls_config = rustls::ClientConfig::builder()
+    ///     .with_safe_defaults()
+    ///     .with_root_certificates(root_store)
+    ///     .with_no_client_auth();
     /// let agent = ureq::builder()
-    ///     .tls_config(tls_config.clone())
+    ///     .tls_config(Arc::new(tls_config))
     ///     .build();
     /// # Ok(())
     /// # }
diff --git a/tests/https-agent.rs b/tests/https-agent.rs
index 14739f3..72bc80a 100644
--- a/tests/https-agent.rs
+++ b/tests/https-agent.rs
@@ -92,17 +92,28 @@ m0Wqhhi8/24Sy934t5Txgkfoltg8ahkx934WjP6WWRnSAu+cf+vW
 #[cfg(feature = "tls")]
 #[test]
 fn tls_client_certificate() {
-    let mut tls_config = rustls::ClientConfig::new();
-
-    let certs = rustls_pemfile::certs(&mut BADSSL_CLIENT_CERT_PEM.as_bytes()).unwrap();
-    let key = rustls_pemfile::rsa_private_keys(&mut BADSSL_CLIENT_CERT_PEM.as_bytes())
-        .unwrap()[0]
+    let certs = rustls_pemfile::certs(&mut BADSSL_CLIENT_CERT_PEM.as_bytes())
+        .unwrap()
+        .into_iter()
+        .map(rustls::Certificate)
+        .collect();
+    let key = rustls_pemfile::rsa_private_keys(&mut BADSSL_CLIENT_CERT_PEM.as_bytes()).unwrap()[0]
         .clone();
 
-    tls_config.set_single_client_cert(certs, key).unwrap();
-    tls_config
-        .root_store
-        .add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
+    let mut root_store = rustls::RootCertStore::empty();
+    root_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
+        rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
+            ta.subject,
+            ta.spki,
+            ta.name_constraints,
+        )
+    }));
+
+    let tls_config = rustls::ClientConfig::builder()
+        .with_safe_defaults()
+        .with_root_certificates(root_store)
+        .with_single_cert(certs, rustls::PrivateKey(key))
+        .unwrap();
 
     let agent = ureq::builder()
         .tls_config(std::sync::Arc::new(tls_config))