[rust] Switch reqwest TLS backend from aws-lc-rs to ring#17589
Open
AutomatedTester wants to merge 2 commits into
Open
[rust] Switch reqwest TLS backend from aws-lc-rs to ring#17589AutomatedTester wants to merge 2 commits into
AutomatedTester wants to merge 2 commits into
Conversation
The default reqwest `rustls` feature pulls in aws-lc-rs → aws-lc-sys, a C library that requires compiler-rt builtins and system frameworks (e.g. CoreServices on macOS) that are not available in the hermetic LLVM sysroot. The `ring` crate is pure Rust + lightweight C with no external system library dependencies, making it compatible with hermetic build toolchains. Changes: - reqwest: switch feature from `rustls` to `rustls-no-provider`, which wires up the full rustls stack (including rustls-platform-verifier for cert verification) but does not force any crypto backend. - Add direct `rustls` dependency with `ring` feature so ring is the only crypto provider compiled into the binary. - Install ring as the process-default TLS provider at the start of main() (required when using `rustls-no-provider`; rustls 0.23 needs an explicit provider before ClientConfig::builder() is called). - Cargo.lock: aws-lc-rs and aws-lc-sys are removed; ring and its lightweight deps remain.
selenium-ci
added
C-rust
Installing the provider only in main() meant unit tests (which never call main) would panic when creating an HTTP client. Moving the install into create_http_client — the single entry point for all reqwest Client construction — ensures the provider is present in every code path including tests. install_default() returns Err if already installed, so the let _ = pattern makes repeated calls safe.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
reqwestfrom therustlsfeature torustls-no-provider, eliminating theaws-lc-rs→aws-lc-sysdependency chainrustlsdependency with theringfeature so ring is the only compiled crypto providermain.rsCargo.lock:aws-lc-rsandaws-lc-sysare fully removedWhy
aws-lc-sysis a C library that needs compiler-rt builtins and system frameworks (e.g.CoreServiceson macOS) at compile time. These are not available in the hermetic LLVM sysroot that the cross-compilation PR (#17586) registers for macOS. Switching toring(pure Rust + lightweight C, no external system deps) unblocks registering the hermetic LLVM exec toolchain on macOS for fully reproducible builds.ringis already in the dependency graph (pulled in byquinn), so no net-new crate is introduced — we're just removing one crypto backend and making the other explicit.Test plan
Rust / Tests (ubuntu)passes (existing coverage)Rust / Tests (macos)passes — this is the regression that motivated the changeRust / Tests (windows)passes