You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Feb 3, 2023. It is now read-only.
native-tls seems to be one of the few remaining native dependencies. It wraps platform-specific TLS implementations (schannel on Windows, Security framework on macOS, OpenSSL on Linux).
There are several problems with that:
All mentioned TLS implementations are memory unsafe.
Native dependencies make compilation more complex, especially cross-compilation, especially cross-compilation to static executables.
It seems that net crate imports native-tls for reqwest. If that's the case, reqwest optionally supports rustls, pure Rust TLS implementation: seanmonstar/reqwest#378
No old TLS versions, fewer ciphers implemented (focus of rustls is on safe defaults): OTOH, for holochain-rust use case, this is probably a good thing, and makes downgrade attacks less effective
Did not go through rigorous security audit (although attack surface is smaller)
The text was updated successfully, but these errors were encountered:
In particular, this currently blocks us from building for aarch64-unknown-linux-musl (statically compiled AArch64 releases), issue seems to be rooted in openssl-sys (neither vendored nor normal builds work for different reasons).
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
native-tls
seems to be one of the few remaining native dependencies. It wraps platform-specific TLS implementations (schannel on Windows, Security framework on macOS, OpenSSL on Linux).There are several problems with that:
It seems that
net
crate importsnative-tls
forreqwest
. If that's the case,reqwest
optionally supportsrustls
, pure Rust TLS implementation: seanmonstar/reqwest#378Advantages:
Disadvantages:
rustls
is on safe defaults): OTOH, forholochain-rust
use case, this is probably a good thing, and makes downgrade attacks less effectiveThe text was updated successfully, but these errors were encountered: