Rustls 0.20 and HttpsConnectorBuilder #156
Conversation
|
(Tweaked Cargo.toml in response to comments) |
|
loving this, can't wait to use hyper-rustls once it supports the latest stuff |
|
I had a chance to try the new rustls inspired API and I really liked it, although when rust-analyzer decides not to work it takes some time to combine things in the right order by going from the docs. One more thing which would be cool to have is both the compiletime and runtime option to disable TLS 1.2. The compiletime option requires
https://docs.rs/rustls/0.20.0/rustls/#crate-features If you'd like to I can also implement it myself and send it in a separate PR after this one is merged |
|
rustls-native-certs 0.6.0 has been published now: https://crates.io/crates/rustls-native-certs |
|
There's a lot of good stuff in this PR, but I think it has too much going on at once. I think this could be split in at least three parts, either separate commits in this PR or separate PRs:
I also like @paolobarbolini's suggestion to configure TLS 1.2 support. @g2p let me know if you have time to work on this soon, otherwise I can revive my own PR. (Also for now, I'd prefer to not split out |
Convenience functions for rustls client configuration are now in a ConfigBuilderExt trait extending rustls::ConfigBuilder. Disables sct validation with certificate transparency logs, which can't be enabled (in a way that would be as compatible as chromium) without a bunch of intrusive policies to deal with validity/expiration. Parts of ConfigBuilderExt::with_native_roots come from rustls::RootCertStore::add_parsable_certificates, which cannot be used directly due to a newtype in rustls-native-certs.
|
I've reworked the commit history to better separate @djc's point 1 (minimal changes for rustls 0.20) from 2 and 3. The connector refactoring (point 3) is needed by point 2 to be consistent with how schemes are configured: I expose https_only and https_or_http, I've removed the existing behaviour which defaulted any non-https scheme to http (not documented and seemingly accidental). Finer grained scheme control will be possible to add in a backward compatible way, but it needs to be motivated by actual use cases (do we want to add https-equivalent schemes?) I've forwarded crates features (@paolobarbolini), tls12 and logging forward to those features in tokio-rustls and rustls. There's still some implicitness in whether TLS 1.2 is enabled at a distance through features, rustls configuration methods encourage this, it might be addressed through examples or a configuration method in rustls. In practice: replacing Exposing a |
|
(Just fixed the |
There was a problem hiding this comment.
Good stuff, thanks for your work on this! Sorry to drag this on, I have a few more questions.
Exposing a
.with_tls13_defaults()method in rustls would be best, improving the ergonomics of rustls in the original crate rather than this one.
What scenario are you worried about, exactly? Users who inadvertently enable TLS 1.2? Folks who explicitly want to disable 1.2 should not call with_safe_defaults() but should instead specify the versions explicitly during the config builder setup; this doesn't seem so unreasonable.
This gives more control over various rustls features, as well as ensures that enabling connector features like http1/http2 can only be done when the appropriate crate features are enabled.
tls12 and logging are rustls features we enable by default, as does rustls, exposing them explicitly allows users to disable them by disabling hyper-rustls default features. Make sure tests run with tls12 by enabling it in dev-dependencies, because windows tests (at least in CI) seem to run with an outdated version of curl that doesn't support TLS 1.3.
The extensions to rustls::ClientConfig in ClientConfigExt that set root certificates now do just that, they don't go on to configure / disable client auth. The builder traits are unchanged, they set convenient defaults (no client auth) but allow passing a custom rustls::ClientConfig.
|
I believe everything here is resolved, re Instead of clearing the field, I can require alpn_protocols to be empty going in so that we can choose to handle it later without breaking API. |
This is the default for a rustls ClientConfig. We assert this to be future proof in case we want to extend the interface by handling pre-defined alpn_protocols later.
|
Thanks, this is looking good! |
|
Thanks for the reviewing! |
|
Hi there, I updated some of my code to use this and the latest changes are confusing me. let connector = HttpsConnectorBuilder::new()
.with_webpki_roots()
.https_only()
.enable_http1()
.enable_http2()
.build();Yet it fails at the ALPN assertion. What am I doing wrong? Edit: Removing |
|
@Gelbpunkt thanks for the heads up, I just fixed the assert in #160. The connection error might be related to your peer not handling TLS 1.3, did you enable the tls12 feature (part of the default set)? |
Thanks, both of the configurations now work after also enabling TLS 1.2. I guess I didn't expect the remote to not support TLS 1.3 and didn't pay attention to the new feature flag. Thank you very much for the fix! |
This upgrades rustls to 0.20 (pending a release of rustls-native-certs), and ports the HttpsConnectorBuilder in #145 to something more like rustls' new ConfigBuilder (typestate based).
Parts of the rustls 0.20 work were taken from #153.