4 files changed, 68 insertions, 38 deletions

diff --git a/cli/tests/integration/mod.rs b/cli/tests/integration/mod.rs
index cfb950901..9cd1b2c11 100644
--- a/cli/tests/integration/mod.rs
+++ b/cli/tests/integration/mod.rs
@@ -5,7 +5,7 @@ use deno_core::url;
 use deno_runtime::deno_fetch::reqwest;
 use deno_runtime::deno_net::ops_tls::TlsStream;
 use deno_runtime::deno_tls::rustls;
-use deno_runtime::deno_tls::webpki;
+use deno_runtime::deno_tls::rustls_pemfile;
 use std::fs;
 use std::io::BufReader;
 use std::io::Cursor;
@@ -1143,36 +1143,40 @@ async fn listen_tls_alpn() {
         .spawn()
         .unwrap();
       let stdout = child.stdout.as_mut().unwrap();
-      let mut buffer = [0; 5];
-      let read = stdout.read(&mut buffer).unwrap();
+      let mut msg = [0; 5];
+      let read = stdout.read(&mut msg).unwrap();
       assert_eq!(read, 5);
-      let msg = std::str::from_utf8(&buffer).unwrap();
-      assert_eq!(msg, "READY");
+      assert_eq!(&msg, b"READY");
 
-      let mut cfg = rustls::ClientConfig::new();
-      let reader = &mut BufReader::new(Cursor::new(include_bytes!(
+      let mut reader = &mut BufReader::new(Cursor::new(include_bytes!(
         "../testdata/tls/RootCA.crt"
       )));
-      cfg.root_store.add_pem_file(reader).unwrap();
-      cfg.alpn_protocols.push("foobar".as_bytes().to_vec());
+      let certs = rustls_pemfile::certs(&mut reader).unwrap();
+      let mut root_store = rustls::RootCertStore::empty();
+      root_store.add_parsable_certificates(&certs);
+      let mut cfg = rustls::ClientConfig::builder()
+        .with_safe_defaults()
+        .with_root_certificates(root_store)
+        .with_no_client_auth();
+      cfg.alpn_protocols.push(b"foobar".to_vec());
       let cfg = Arc::new(cfg);
 
-      let hostname =
-        webpki::DNSNameRef::try_from_ascii_str("localhost").unwrap();
+      let hostname = rustls::ServerName::try_from("localhost").unwrap();
 
       let tcp_stream = tokio::net::TcpStream::connect("localhost:4504")
         .await
         .unwrap();
       let mut tls_stream =
-        TlsStream::new_client_side(tcp_stream, &cfg, hostname);
+        TlsStream::new_client_side(tcp_stream, cfg, hostname);
+
       tls_stream.handshake().await.unwrap();
-      let (_, session) = tls_stream.get_ref();
 
-      let alpn = session.get_alpn_protocol().unwrap();
-      assert_eq!(std::str::from_utf8(alpn).unwrap(), "foobar");
+      let (_, rustls_connection) = tls_stream.get_ref();
+      let alpn = rustls_connection.alpn_protocol().unwrap();
+      assert_eq!(alpn, b"foobar");
 
-      child.kill().unwrap();
-      child.wait().unwrap();
+      let status = child.wait().unwrap();
+      assert!(status.success());
     })
     .await;
 }
@@ -1190,41 +1194,45 @@ async fn listen_tls_alpn_fail() {
         .arg("--quiet")
         .arg("--allow-net")
         .arg("--allow-read")
-        .arg("./listen_tls_alpn.ts")
+        .arg("./listen_tls_alpn_fail.ts")
         .arg("4505")
         .stdout(std::process::Stdio::piped())
         .spawn()
         .unwrap();
       let stdout = child.stdout.as_mut().unwrap();
-      let mut buffer = [0; 5];
-      let read = stdout.read(&mut buffer).unwrap();
+      let mut msg = [0; 5];
+      let read = stdout.read(&mut msg).unwrap();
       assert_eq!(read, 5);
-      let msg = std::str::from_utf8(&buffer).unwrap();
-      assert_eq!(msg, "READY");
+      assert_eq!(&msg, b"READY");
 
-      let mut cfg = rustls::ClientConfig::new();
-      let reader = &mut BufReader::new(Cursor::new(include_bytes!(
+      let mut reader = &mut BufReader::new(Cursor::new(include_bytes!(
         "../testdata/tls/RootCA.crt"
       )));
-      cfg.root_store.add_pem_file(reader).unwrap();
-      cfg.alpn_protocols.push("boofar".as_bytes().to_vec());
+      let certs = rustls_pemfile::certs(&mut reader).unwrap();
+      let mut root_store = rustls::RootCertStore::empty();
+      root_store.add_parsable_certificates(&certs);
+      let mut cfg = rustls::ClientConfig::builder()
+        .with_safe_defaults()
+        .with_root_certificates(root_store)
+        .with_no_client_auth();
+      cfg.alpn_protocols.push(b"boofar".to_vec());
       let cfg = Arc::new(cfg);
 
-      let hostname =
-        webpki::DNSNameRef::try_from_ascii_str("localhost").unwrap();
+      let hostname = rustls::ServerName::try_from("localhost").unwrap();
 
       let tcp_stream = tokio::net::TcpStream::connect("localhost:4505")
         .await
         .unwrap();
       let mut tls_stream =
-        TlsStream::new_client_side(tcp_stream, &cfg, hostname);
-      tls_stream.handshake().await.unwrap();
-      let (_, session) = tls_stream.get_ref();
+        TlsStream::new_client_side(tcp_stream, cfg, hostname);
 
-      assert!(session.get_alpn_protocol().is_none());
+      tls_stream.handshake().await.unwrap_err();
 
-      child.kill().unwrap();
-      child.wait().unwrap();
+      let (_, rustls_connection) = tls_stream.get_ref();
+      assert!(rustls_connection.alpn_protocol().is_none());
+
+      let status = child.wait().unwrap();
+      assert!(status.success());
     })
     .await;
 }
diff --git a/cli/tests/testdata/listen_tls_alpn.ts b/cli/tests/testdata/listen_tls_alpn.ts
index 5d58065d9..b3ade686e 100644
--- a/cli/tests/testdata/listen_tls_alpn.ts
+++ b/cli/tests/testdata/listen_tls_alpn.ts
@@ -7,6 +7,8 @@ const listener = Deno.listenTls({
 
 console.log("READY");
 
-for await (const conn of listener) {
-  conn.close();
-}
+const conn = await listener.accept() as Deno.TlsConn;
+await conn.handshake();
+conn.close();
+
+listener.close();
diff --git a/cli/tests/testdata/listen_tls_alpn_fail.ts b/cli/tests/testdata/listen_tls_alpn_fail.ts
new file mode 100644
index 000000000..04f9ec11f
--- /dev/null
+++ b/cli/tests/testdata/listen_tls_alpn_fail.ts
@@ -0,0 +1,20 @@
+import { assertRejects } from "../../../test_util/std/testing/asserts.ts";
+
+const listener = Deno.listenTls({
+  port: Number(Deno.args[0]),
+  certFile: "./tls/localhost.crt",
+  keyFile: "./tls/localhost.key",
+  alpnProtocols: ["h2", "http/1.1", "foobar"],
+});
+
+console.log("READY");
+
+const conn = await listener.accept() as Deno.TlsConn;
+await assertRejects(
+  () => conn.handshake(),
+  Deno.errors.InvalidData,
+  "peer doesn't support any known protocol",
+);
+conn.close();
+
+listener.close();
diff --git a/cli/tests/testdata/localhost_unsafe_ssl.ts.out b/cli/tests/testdata/localhost_unsafe_ssl.ts.out
index 66c199417..0bfaeb25d 100644
--- a/cli/tests/testdata/localhost_unsafe_ssl.ts.out
+++ b/cli/tests/testdata/localhost_unsafe_ssl.ts.out
@@ -1,3 +1,3 @@
 DANGER: TLS certificate validation is disabled for: deno.land
-error: error sending request for url (https://localhost:5545/subdir/mod2.ts): error trying to connect: invalid certificate: UnknownIssuer
+error: error sending request for url (https://localhost:5545/subdir/mod2.ts): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer
     at file:///[WILDCARD]/cafile_url_imports.ts:[WILDCARD]