Switch from OpenSSL to Rustls (zed-industries#19104)

This PR also includes a downgrade of our async_tungstenite version to 0.24 Release Notes: - N/A
CharlesChen0823 · Oct 12, 2024 · c85a3cc · c85a3cc
1 parent 22ac178
commit c85a3cc
Show file tree

Hide file tree

Showing 8 changed files with 118 additions and 106 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -327,7 +327,7 @@ async-pipe = { git = "https://github.com/zed-industries/async-pipe-rs", rev = "8
 async-recursion = "1.0.0"
 async-tar = "0.5.0"
 async-trait = "0.1"
-async-tungstenite = "0.28"
+async-tungstenite = "0.24"
 async-watch = "0.3.1"
 async_zip = { version = "0.0.17", features = ["deflate", "deflate64"] }
 base64 = "0.22"
@@ -391,14 +391,14 @@ pulldown-cmark = { version = "0.12.0", default-features = false }
 rand = "0.8.5"
 regex = "1.5"
 repair_json = "0.1.0"
-reqwest = { git = "https://github.com/zed-industries/reqwest.git", rev = "fd110f6998da16bbca97b6dddda9be7827c50e29" }
+reqwest = { git = "https://github.com/zed-industries/reqwest.git", rev = "fd110f6998da16bbca97b6dddda9be7827c50e29", default-features = false, features = ["charset", "http2", "macos-system-configuration", "rustls-tls-native-roots", "stream"]}
 rsa = "0.9.6"
 runtimelib = { version = "0.15", default-features = false, features = [
  "async-dispatcher-runtime",
 ] }
 rustc-demangle = "0.1.23"
 rust-embed = { version = "8.4", features = ["include-exclude"] }
-rustls = "0.21.12"
+rustls = "0.20.3"
 rustls-native-certs = "0.8.0"
 schemars = { version = "0.8", features = ["impl_json_schema"] }
 semver = "1.0"

diff --git a/crates/client/Cargo.toml b/crates/client/Cargo.toml
@@ -18,7 +18,6 @@ test-support = ["clock/test-support", "collections/test-support", "gpui/test-sup
 [dependencies]
 anyhow.workspace = true
 async-recursion = "0.3"
-async-tls = "0.13"
 async-tungstenite = { workspace = true, features = ["async-std", "async-tls"] }
 chrono = { workspace = true, features = ["serde"] }
 clock.workspace = true
@@ -35,6 +34,8 @@ postage.workspace = true
 rand.workspace = true
 release_channel.workspace = true
 rpc = { workspace = true, features = ["gpui"] }
+rustls-native-certs.workspace = true
+rustls.workspace = true
 schemars.workspace = true
 serde.workspace = true
 serde_json.workspace = true

diff --git a/crates/client/src/client.rs b/crates/client/src/client.rs
@@ -1137,13 +1137,31 @@ impl Client {
 
  match url_scheme {
  Https => {
+ let client_config = {
+ let mut root_store = rustls::RootCertStore::empty();
+
+ let root_certs = rustls_native_certs::load_native_certs();
+ for error in root_certs.errors {
+ log::warn!("error loading native certs: {:?}", error);
+ }
+ root_store.add_parsable_certificates(
+ &root_certs
+ .certs
+ .into_iter()
+ .map(|cert| cert.as_ref().to_owned())
+ .collect::<Vec<_>>(),
+ );
+ rustls::ClientConfig::builder()
+ .with_safe_defaults()
+ .with_root_certificates(root_store)
+ .with_no_client_auth()
+ };
+
  let (stream, _) =
  async_tungstenite::async_tls::client_async_tls_with_connector(
  request,
  stream,
- Some(async_tls::TlsConnector::from(
- http_client::TLS_CONFIG.clone(),
- )),
+ Some(client_config.into()),
  )
  .await?;
  Ok(Connection::new(

diff --git a/crates/http_client/Cargo.toml b/crates/http_client/Cargo.toml
@@ -21,8 +21,6 @@ derive_more.workspace = true
 futures.workspace = true
 http = "1.1"
 log.workspace = true
-rustls-native-certs.workspace = true
-rustls.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 smol.workspace = true

diff --git a/crates/http_client/src/http_client.rs b/crates/http_client/src/http_client.rs
@@ -12,7 +12,7 @@ use http::request::Builder;
 use std::fmt;
 use std::{
  any::type_name,
- sync::{Arc, LazyLock, Mutex},
+ sync::{Arc, Mutex},
  time::Duration,
 };
 pub use url::Url;
@@ -35,23 +35,6 @@ pub enum RedirectPolicy {
 }
 pub struct FollowRedirects(pub bool);
 
-pub static TLS_CONFIG: LazyLock<Arc<rustls::ClientConfig>> = LazyLock::new(|| {
- let mut root_store = rustls::RootCertStore::empty();
-
- let root_certs = rustls_native_certs::load_native_certs();
- for error in root_certs.errors {
- log::warn!("error loading native certs: {:?}", error);
- }
- root_store.add_parsable_certificates(&root_certs.certs);
-
- Arc::new(
- rustls::ClientConfig::builder()
- .with_safe_defaults()
- .with_root_certificates(root_store)
- .with_no_client_auth(),
- )
-});
-
 pub trait HttpRequestExt {
  /// Set a read timeout on the request.
  /// For isahc, this is the low_speed_timeout.

diff --git a/crates/reqwest_client/Cargo.toml b/crates/reqwest_client/Cargo.toml
@@ -28,7 +28,7 @@ serde.workspace = true
 smol.workspace = true
 log.workspace = true
 tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
-reqwest = { workspace = true, features = ["rustls-tls-manual-roots", "stream"] }
+reqwest.workspace = true
 
 [dev-dependencies]
 gpui.workspace = true
diff --git a/crates/reqwest_client/src/reqwest_client.rs b/crates/reqwest_client/src/reqwest_client.rs
@@ -2,7 +2,7 @@ use std::{any::type_name, borrow::Cow, io::Read, mem, pin::Pin, sync::OnceLock,
 
 use anyhow::anyhow;
 use bytes::{BufMut, Bytes, BytesMut};
-use futures::{AsyncRead, TryStreamExt};
+use futures::{AsyncRead, TryStreamExt as _};
 use http_client::{http, ReadTimeout, RedirectPolicy};
 use reqwest::{
  header::{HeaderMap, HeaderValue},
@@ -11,6 +11,7 @@ use reqwest::{
 use smol::future::FutureExt;
 
 const DEFAULT_CAPACITY: usize = 4096;
+static RUNTIME: OnceLock<tokio::runtime::Runtime> = OnceLock::new();
 
 pub struct ReqwestClient {
  client: reqwest::Client,
@@ -20,20 +21,29 @@ pub struct ReqwestClient {
 
 impl ReqwestClient {
  pub fn new() -> Self {
- reqwest::Client::new().into()
+ reqwest::Client::builder()
+ .use_rustls_tls()
+ .build()
+ .expect("Failed to initialize HTTP client")
+ .into()
  }
 
  pub fn user_agent(agent: &str) -> anyhow::Result<Self> {
  let mut map = HeaderMap::new();
  map.insert(http::header::USER_AGENT, HeaderValue::from_str(agent)?);
- let client = reqwest::Client::builder().default_headers(map).build()?;
+ let client = reqwest::Client::builder()
+ .default_headers(map)
+ .use_rustls_tls()
+ .build()?;
  Ok(client.into())
  }
 
  pub fn proxy_and_user_agent(proxy: Option<http::Uri>, agent: &str) -> anyhow::Result<Self> {
  let mut map = HeaderMap::new();
  map.insert(http::header::USER_AGENT, HeaderValue::from_str(agent)?);
- let mut client = reqwest::Client::builder().default_headers(map);
+ let mut client = reqwest::Client::builder()
+ .use_rustls_tls()
+ .default_headers(map);
  if let Some(proxy) = proxy.clone() {
  client = client.proxy(reqwest::Proxy::all(proxy.to_string())?);
  }
@@ -44,8 +54,6 @@ impl ReqwestClient {
  }
 }
 
-static RUNTIME: OnceLock<tokio::runtime::Runtime> = OnceLock::new();
-
 impl From<reqwest::Client> for ReqwestClient {
  fn from(client: reqwest::Client) -> Self {
  let handle = tokio::runtime::Handle::try_current().unwrap_or_else(|_| {