fix: replace native-tls/OpenSSL with rustls for IMAP — eliminates OpenSSL dependency (fixes #97)#121
Open
whatnick wants to merge 2 commits intoRightNow-AI:mainfrom
Open
Conversation
…AI#97) The aarch64-linux release binary was dynamically linked against libssl.so.1.0.0 / libcrypto.so.1.0.0 (OpenSSL 1.0) which is absent on Ubuntu 22.04+ (ships OpenSSL 3.x). The sole consumer of native-tls was the IMAP email channel adapter. Changes: - Replace native_tls::TlsConnector with rustls::ClientConnection + rustls-native-certs for the IMAP client in email.rs - Disable imap crate default 'tls' feature (which pulled in native-tls) - Add rustls, rustls-native-certs, rustls-pki-types as workspace deps - Remove native-tls from workspace dependencies entirely - Remove libssl-dev from Dockerfile builder stage - Remove OpenSSL cross-compile pre-build from Cross.toml - Remove libssl-dev from CI release workflow Linux build step All other TLS consumers (reqwest, tokio-tungstenite, lettre) already used rustls. The project now has zero dynamic OpenSSL linkage. Closes RightNow-AI#97
whatnick
force-pushed
the
feature/openssl-rust-support
branch
from
6ee905d to
1cfea02
Compare
Author
|
This change has successfully been tested against email on raspberry pi 5. |
|
The current pre-built version of openfang for aarch64-unknown-linux-gnu also having the same OpenSSL deps issue on Debian trixie. |
egargale
pushed a commit
to egargale/openfang
that referenced
this pull request
Mar 5, 2026
…te-final docs: ZeroClaw <5MB RAM
|
I tested this PR, and it worked, I'm using a raspberry pi 4 using trixie |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #97 — the v0.2.1 aarch64-linux binary required OpenSSL 1.0 (
libssl.so.1.0.0), which is not available on Ubuntu 22.04+ (ships OpenSSL 3.x).Root Cause
The
imapcrate's defaulttlsfeature pulls innative-tls, which on Linux dynamically links against the system's OpenSSL. Thecrosstoolchain used for aarch64 builds shipped OpenSSL 1.0 headers, producing binaries linked againstlibssl.so.1.0.0— absent on modern distros.Fix
Replace
native-tlswithrustls(pure Rust TLS) for the IMAP email channel — the only remaining OpenSSL consumer. All other TLS users (reqwest,tokio-tungstenite,lettre) already usedrustls.Changes
Cargo.tomlrustls,rustls-native-certs,rustls-pki-typesworkspace deps; setimap = { version = "2", default-features = false }to disable native-tls; removenative-tlsdepcrates/openfang-channels/Cargo.tomlnative-tlswithrustls+rustls-native-certs+rustls-pki-typescrates/openfang-channels/src/email.rsnative_tls::TlsConnectorwithrustls::ClientConnection+rustls::StreamOwnedusing system-native root certsDockerfilelibssl-devfrom builder stageCross.toml.github/workflows/release.ymllibssl-devfrom Linux CI build depsResult
ldd openfangwill no longer showlibssl.so/libcrypto.solibssl-devin builder)TLS Protocol Support
The
rustlsconfiguration enables TLS 1.2 and TLS 1.3 using theringcrypto backend with system-native root certificates (rustls-native-certs). This covers all modern IMAP servers.