Support rustls as an alternative TLS backend#735
Conversation
|
Note to self: CI failure might be due to not activating one of the new _prefixed features correctly. |
|
Was a different error, sqlx-cli was using the old feature. I guess maybe I should also not trigger the "runtime has to be selected" error when one of the old ones is activated, it seems like that doesn't necessarily trigger the first |
|
I moved some ground work to #740, now pushed just a very minimal commit that should only update cargo features (it noticably doesn't touch |
|
Hey, I made it work... Somehow?? It does seem a bit like a lockfile update was the cause for the previous breakage, so I'll open a separate PR for just |
|
Ah, so there is some postgres & mysql specific TLS code. Only tested with sqlite locally. |
|
Pushed all new preliminary refactorings separately from the rustls commit again to have CI verify them in isolation. |
|
So it was a dependency thing afterall! I think I should leave the |
jplatte
left a comment
jplatte
left a comment
There was a problem hiding this comment.
This is now truly ready for review!
|
So this added 45 new CI jobs to the existing 49... Should probably revisit testing every possible runtime, tls backend, database (version) 😅 |
|
Ah, so some tests rely on certificate validation being optional. I'll wait for feedback before playing around and wasting more CI time.. |
|
I'm glad to see someone else was looking at ditching OpenSSL too :D. I see a thread above around the certificate validation requirements. I actually have a branch here where I was working on replacing everything with Rustls and I implemented the different certification validation levels. Feel free to take a look @jplatte. |
|
With @BlackHoleFox'es changes integrated, this now passes all 94 CI jobs 🎉 😅 @abonander Thoughts on the large increase in CI jobs? |
|
For the record, I'm not a huge fan of the combinatorial explosion of jobs here. At least we're not footing the bill for CI, eh? @jplatte looks like this needs a rebase though. |
so they finally are all in the right sections
Co-authored-by: BlackHoleFox <blackholefoxdev@gmail.com>
|
Can we perhaps mark a good chunk of the CI jobs here as "non-required" or something and only run them on I love the capability added here. Great work @jplatte. I really wish we could do this with feature pairs in Cargo e.g., Though I think that might be served with something more suited for mutual exclusion, e.g., Would be an interesting thing to add to Cargo. That's not relevant to this PR though. |
Sure. Check runs pretty fast, so that can probably be run always. What about only running one version of each database for PRs? |
|
I was reading this with an interest, could it solve the issue of connecting to SQL Server from macOS platforms, where Apple's Security Framework doesn't allow the short keys Microsoft uses in the server. We have trouble doing TLS connections in Tiberius with |
jplatte
force-pushed
the
rustls
branch
3 times, most recently
from
e110bfd to
eb0bb6e
Compare
|
I've tried but can't figure out how to skip some runtime tests run on pull requests (without duplicating jobs). I guess using one of those weird YAML features to copy stuff around like GitLab encourages for CI jobs IIRC could work, but I haven't seen anybody do that with Actions. Ideas? |
|
@pimeys I'm here hoping the same thing. My team is currently blocked on MacOS because of the use of native-tls |
|
Thanks for all the work here. We need to revisit CI but let's not keep blocking on that. |
|
Merged on the command line: 1ed75ba |
6 participants
Resolves #575.