update rustls, tokio-rustls, and hyper-rustls

CHANGELOG.adoc

@@ -20,6 +20,7 @@ https://github.com/oxidecomputer/dropshot/compare/v0.9.0\...HEAD[Full list of co
 * https://github.com/oxidecomputer/dropshot/pull/676[#676] changed how TLS configuration is provided to Dropshot.  **`ConfigDropshotTls` is now no longer part of `ConfigDropshot`.**  If you're using TLS, you need to provide this as a separate argument to `HttpServerStarter::new_tls()`.  See #676 for details.
 * https://github.com/oxidecomputer/dropshot/pull/651[#651] The address of the remote peer is now available to request handlers via the `RequestInfo` struct. With this change we've removed the related `From<hyper::Request<B>>` implementation; instead use `RequestInfo::new<B>(&hyper::Request<B>, std::net::SocketAddr)`.
 * https://github.com/oxidecomputer/dropshot/pull/701[#701] changes how Dropshot manages the tasks that are used to handle requests.  There are two modes, now configurable server-wide using `HandlerTaskMode`.  Prior to this change, the behavior matched what's now called `HandlerTaskMode::CancelOnDisconnect`: the Future associated with a request handler could be cancelled if, for example, the client disconnected early.  After this change, the default behavior is what's now called `HandlerTaskMode::Detached`, which causes Dropshot to use `tokio::spawn` to run the request handler.  That task will never be cancelled.  This is useful for consumers whose request handlers may not be cancellation-safe.
+* https://github.com/oxidecomputer/dropshot/pull/849[#849] updates rustls to 0.22 which is a breaking change due to the dependency on `rustls::ServerConfig`. If your server supplies a `ServerConfig` you will need to apply the appropriate changes.
 
 === Other notable Changes
 

dropshot/Cargo.toml

@@ -26,7 +26,7 @@ multer = "3.0.0"
 paste = "1.0.14"
 percent-encoding = "2.3.1"
 proc-macro2 = "1.0.73"
-rustls = "0.21.7"
+rustls = "0.22.1"
 rustls-pemfile = "2.0.0"
 serde_json = "1.0.109"
 serde_path_to_error = "0.1.15"
@@ -37,7 +37,7 @@ slog-async = "2.8.0"
 slog-bunyan = "2.5.0"
 slog-json = "2.6.1"
 slog-term = "2.9.0"
-tokio-rustls = "0.24.1"
+tokio-rustls = "0.25.0"
 toml = "0.8.8"
 waitgroup = "0.1.2"
 
@@ -83,7 +83,7 @@ features = [ "uuid1" ]
 async-channel = "2.1.1"
 buf-list = "1.0.3"
 expectorate = "1.1.0"
-hyper-rustls = "0.24.2"
+hyper-rustls = "0.25.0"
 hyper-staticfile = "0.9"
 lazy_static = "1.4.0"
 libc = "0.2.152"
@@ -97,11 +97,10 @@ rcgen = "0.11.3"
 # Used in a doc-test demonstrating the WebsocketUpgrade extractor.
 tokio-tungstenite = "0.21.0"
 
-[dev-dependencies.rustls]
-version = "0.21"
-# This is needed to use with_custom_certificate_verifier in tests
-# https://docs.rs/rustls/0.21/src/rustls/client/builder.rs.html
-features = [ "dangerous_configuration" ]
+[dev-dependencies.rustls-pki-types]
+version = "1.1.0"
+# Needed for CertificateDer::into_owned
+features = ["alloc"]
 
 [dev-dependencies.schemars]
 version = "0.8.16"

dropshot/src/server.rs

@@ -518,29 +518,20 @@ impl TryFrom<&ConfigTls> for rustls::ServerConfig {
             .map_err(|err| {
                 io_error(format!("failed to load certificate: {err}"))
             })?;
-        let cert_chain = certs
-            .into_iter()
-            .map(|cert| rustls::Certificate(cert.to_vec()))
-            .collect();
         let keys = rustls_pemfile::pkcs8_private_keys(&mut key_reader)
             .collect::<Result<Vec<_>, _>>()
             .map_err(|err| {
                 io_error(format!("failed to load private key: {err}"))
             })?;
-        let private_key = match keys.as_slice() {
-            [pk] => rustls::PrivateKey(pk.secret_pkcs8_der().to_vec()),
-            _ => {
-                return Err(io_error("expected a single private key".into()));
-            }
+        let mut keys_iter = keys.into_iter();
+        let (Some(private_key), None) = (keys_iter.next(), keys_iter.next())
+        else {
+            return Err(io_error("expected a single private key".into()));
         };
 
         let mut cfg = rustls::ServerConfig::builder()
-            .with_safe_default_cipher_suites()
-            .with_safe_default_kx_groups()
-            .with_safe_default_protocol_versions()
-            .unwrap()
-            .with_client_cert_verifier(rustls::server::NoClientAuth::boxed())
-            .with_single_cert(cert_chain, private_key)
+            .with_no_client_auth()
+            .with_single_cert(certs, private_key.into())
             .expect("bad certificate/key");
         cfg.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
         Ok(cfg)