From b3f9f8ac25a6be849cfcc159a6792ed6d087e668 Mon Sep 17 00:00:00 2001 From: Edward Shen Date: Sun, 17 Oct 2021 21:41:10 -0700 Subject: [PATCH 1/3] Use tokio-rustls 0.23 --- actix-tls/CHANGES.md | 9 ++++++--- actix-tls/Cargo.toml | 3 ++- actix-tls/examples/tcp-rustls.rs | 21 +++++++++++++-------- actix-tls/src/accept/rustls.rs | 2 +- actix-tls/src/connect/ssl/rustls.rs | 6 +++--- 5 files changed, 25 insertions(+), 16 deletions(-) diff --git a/actix-tls/CHANGES.md b/actix-tls/CHANGES.md index 28dc612a8e..61bbc91081 100644 --- a/actix-tls/CHANGES.md +++ b/actix-tls/CHANGES.md @@ -1,16 +1,19 @@ # Changes ## Unreleased - 2021-xx-xx - +* Update `tokio-rustls` to `0.23`, which uses `rustls` `0.20`. +* Brought in `rustls-pemfile` as a dev-dependency, to show updated usage for the + `tcp-rustls` example. +* Removed a re-export of `Session` from `rustls`, as it seems to longer exist. ## 3.0.0-beta.5 - 2021-03-29 -* Changed `connect::ssl::rustls::RustlsConnectorService` to return error when `DNSNameRef` +* Changed `connect::ssl::rustls::RustlsConnectorService` to return error when `DNSNameRef` generation failed instead of panic. [#296] * Remove `connect::ssl::openssl::OpensslConnectServiceFactory`. [#297] * Remove `connect::ssl::openssl::OpensslConnectService`. [#297] * Add `connect::ssl::native_tls` module for native tls support. [#295] * Rename `accept::{nativetls => native_tls}`. [#295] -* Remove `connect::TcpConnectService` type. service caller expect a `TcpStream` should use +* Remove `connect::TcpConnectService` type. service caller expect a `TcpStream` should use `connect::ConnectService` instead and call `Connection::into_parts`. [#299] [#295]: https://github.com/actix/actix-net/pull/295 diff --git a/actix-tls/Cargo.toml b/actix-tls/Cargo.toml index 9fa260c7fb..995c0e1b24 100755 --- a/actix-tls/Cargo.toml +++ b/actix-tls/Cargo.toml @@ -56,7 +56,7 @@ tls-openssl = { package = "openssl", version = "0.10.9", optional = true } tokio-openssl = { version = "0.6", optional = true } # rustls -tokio-rustls = { version = "0.22", optional = true } +tokio-rustls = { version = "0.23", optional = true } webpki-roots = { version = "0.21", optional = true } # native-tls @@ -69,6 +69,7 @@ bytes = "1" env_logger = "0.8" futures-util = { version = "0.3.7", default-features = false, features = ["sink"] } log = "0.4" +rustls-pemfile = "0.2.1" trust-dns-resolver = "0.20.0" [[example]] diff --git a/actix-tls/examples/tcp-rustls.rs b/actix-tls/examples/tcp-rustls.rs index 687c1f8694..dbf8704f7d 100644 --- a/actix-tls/examples/tcp-rustls.rs +++ b/actix-tls/examples/tcp-rustls.rs @@ -35,25 +35,30 @@ use actix_service::ServiceFactoryExt as _; use actix_tls::accept::rustls::{Acceptor as RustlsAcceptor, TlsStream}; use futures_util::future::ok; use log::info; -use rustls::{ - internal::pemfile::certs, internal::pemfile::rsa_private_keys, NoClientAuth, ServerConfig, -}; +use rustls::server::ServerConfig; +use rustls::{Certificate, PrivateKey}; +use rustls_pemfile::{certs, rsa_private_keys}; #[actix_rt::main] async fn main() -> io::Result<()> { env::set_var("RUST_LOG", "info"); env_logger::init(); - let mut tls_config = ServerConfig::new(NoClientAuth::new()); - // Load TLS key and cert files let cert_file = &mut BufReader::new(File::open("./examples/cert.pem").unwrap()); let key_file = &mut BufReader::new(File::open("./examples/key.pem").unwrap()); - let cert_chain = certs(cert_file).unwrap(); + let cert_chain = certs(cert_file) + .unwrap() + .into_iter() + .map(Certificate) + .collect(); let mut keys = rsa_private_keys(key_file).unwrap(); - tls_config - .set_single_cert(cert_chain, keys.remove(0)) + + let tls_config = ServerConfig::builder() + .with_safe_defaults() + .with_no_client_auth() + .with_single_cert(cert_chain, PrivateKey(keys.remove(0))) .unwrap(); let tls_acceptor = RustlsAcceptor::new(tls_config); diff --git a/actix-tls/src/accept/rustls.rs b/actix-tls/src/accept/rustls.rs index ffac687aa7..50c4b3ab7d 100644 --- a/actix-tls/src/accept/rustls.rs +++ b/actix-tls/src/accept/rustls.rs @@ -14,7 +14,7 @@ use actix_utils::counter::{Counter, CounterGuard}; use futures_core::future::LocalBoxFuture; use tokio_rustls::{Accept, TlsAcceptor}; -pub use tokio_rustls::rustls::{ServerConfig, Session}; +pub use tokio_rustls::rustls::ServerConfig; use super::MAX_CONN_COUNTER; diff --git a/actix-tls/src/connect/ssl/rustls.rs b/actix-tls/src/connect/ssl/rustls.rs index ee8ad02d19..60a0e15016 100755 --- a/actix-tls/src/connect/ssl/rustls.rs +++ b/actix-tls/src/connect/ssl/rustls.rs @@ -3,10 +3,10 @@ use std::{ io, pin::Pin, sync::Arc, + convert::TryFrom, task::{Context, Poll}, }; -pub use tokio_rustls::rustls::Session; pub use tokio_rustls::{client::TlsStream, rustls::ClientConfig}; pub use webpki_roots::TLS_SERVER_ROOTS; @@ -14,7 +14,7 @@ use actix_rt::net::ActixStream; use actix_service::{Service, ServiceFactory}; use futures_core::{future::LocalBoxFuture, ready}; use log::trace; -use tokio_rustls::webpki::DNSNameRef; +use tokio_rustls::rustls::client::ServerName; use tokio_rustls::{Connect, TlsConnector}; use crate::connect::{Address, Connection}; @@ -89,7 +89,7 @@ where trace!("SSL Handshake start for: {:?}", connection.host()); let (stream, connection) = connection.replace_io(()); - match DNSNameRef::try_from_ascii_str(connection.host()) { + match ServerName::try_from(connection.host()) { Ok(host) => RustlsConnectorServiceFuture::Future { connect: TlsConnector::from(self.connector.clone()).connect(host, stream), connection: Some(connection), From d8965556d2791daa756fddb08945b64f8e7d3b8e Mon Sep 17 00:00:00 2001 From: Rob Ede Date: Mon, 18 Oct 2021 16:03:56 +0100 Subject: [PATCH 2/3] Apply suggestions from code review --- actix-tls/CHANGES.md | 9 +++++---- actix-tls/examples/tcp-rustls.rs | 3 +-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/actix-tls/CHANGES.md b/actix-tls/CHANGES.md index 61bbc91081..26de4271aa 100644 --- a/actix-tls/CHANGES.md +++ b/actix-tls/CHANGES.md @@ -1,10 +1,11 @@ # Changes ## Unreleased - 2021-xx-xx -* Update `tokio-rustls` to `0.23`, which uses `rustls` `0.20`. -* Brought in `rustls-pemfile` as a dev-dependency, to show updated usage for the - `tcp-rustls` example. -* Removed a re-export of `Session` from `rustls`, as it seems to longer exist. +* Update `tokio-rustls` to `0.23` which uses `rustls` `0.20`. [#396] +* Removed a re-export of `Session` from `rustls` as it no longer exist. [#396] + +[#396]: https://github.com/actix/actix-net/pull/396 + ## 3.0.0-beta.5 - 2021-03-29 * Changed `connect::ssl::rustls::RustlsConnectorService` to return error when `DNSNameRef` diff --git a/actix-tls/examples/tcp-rustls.rs b/actix-tls/examples/tcp-rustls.rs index dbf8704f7d..f347e16484 100644 --- a/actix-tls/examples/tcp-rustls.rs +++ b/actix-tls/examples/tcp-rustls.rs @@ -35,8 +35,7 @@ use actix_service::ServiceFactoryExt as _; use actix_tls::accept::rustls::{Acceptor as RustlsAcceptor, TlsStream}; use futures_util::future::ok; use log::info; -use rustls::server::ServerConfig; -use rustls::{Certificate, PrivateKey}; +use rustls::{server::ServerConfig, Certificate, PrivateKey}; use rustls_pemfile::{certs, rsa_private_keys}; #[actix_rt::main] From 2e8616c93b180bf5035eb2475776dc886d602a0f Mon Sep 17 00:00:00 2001 From: Rob Ede Date: Mon, 18 Oct 2021 16:06:02 +0100 Subject: [PATCH 3/3] Update rustls.rs --- actix-tls/src/connect/ssl/rustls.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actix-tls/src/connect/ssl/rustls.rs b/actix-tls/src/connect/ssl/rustls.rs index 60a0e15016..d66ceaa507 100755 --- a/actix-tls/src/connect/ssl/rustls.rs +++ b/actix-tls/src/connect/ssl/rustls.rs @@ -1,9 +1,9 @@ use std::{ + convert::TryFrom, future::Future, io, pin::Pin, sync::Arc, - convert::TryFrom, task::{Context, Poll}, };