Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

meshtls-rustls: update to rustls 0.20 and tokio-rustls 0.23 #1362

Merged
merged 16 commits into from
Nov 9, 2021
Merged

meshtls-rustls: update to rustls 0.20 and tokio-rustls 0.23 #1362

merged 16 commits into from
Nov 9, 2021

Conversation

hawkw
Copy link
Contributor

@hawkw hawkw commented Nov 6, 2021

This branch updates linkerd-meshtls-rustls to use rustls version
0.20, tokio-rustls 0.23, and webpki 0.22.

Hopefully, this change should be relatively straightforward --- I've
just updated the proxy's usage of these crates to use their new APIs.
Perhaps the most significant change in rustls is the new builder APIs
for ClientConfig and ServerConfig. Besides that, there were a couple
places where we had to restructure our code a bit to use the new API ---
we can no longer access the server cert verifier from the
ClientConfig, which we previously used in Store::validate for
validating the proxy's cert. Now, instead of accessing it from the
ClientConfig, we pass in an Arced server cert verifier into the
client config, and hold onto a clone of it for use in Store::validate.
This is effectively the same as what we were doing before, but required
some restructuring.

Also, since rustls no longer exposes webpki types in its public API,
this change reduces our webpki usage significantly.

hawkw added 7 commits November 5, 2021 14:47
@hawkw
wip
180c43d 
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
@hawkw
wip 2
c5d4ad6 
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
@hawkw
everything except for tests are good now
299eca2 
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
@hawkw
fix rustls tests
e35d4c2 
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
@hawkw
update integration tests to rustls 0.20.0
9f2914d 
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
@hawkw
rm nix stuff added in #1354
1703188
@hawkw
integration tests don't need webpki
f85105b
@hawkw hawkw requested review from olix0r and a team November 6, 2021 18:21
hawkw
hawkw commented Nov 6, 2021
View reviewed changes
hawkw
hawkw commented Nov 6, 2021
View reviewed changes
linkerd/meshtls/rustls/src/client.rs
Comment on lines +95 to +96
// XXX(eliza): it's a bummer that the server name has to be cloned here...
.connect(self.server_id.clone(), io)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is not my favorite thing about the new rustls API, but i don't think we can fix it in the proxy...

@hawkw
Copy link
Contributor Author

hawkw commented Nov 6, 2021

cargo deny is failing because i forked webpki under my personal github account rather than under the linkerd org way back when i was initially experimenting with the webpki update...i think the reason for that was maybe because i wanted to patch the dep on the linkerd/webpki repo, or something?

@hawkw
Copy link
Contributor Author

hawkw commented Nov 8, 2021

cargo deny is failing because i forked webpki under my personal github account rather than under the linkerd org way back when i was initially experimenting with the webpki update...i think the reason for that was maybe because i wanted to patch the dep on the linkerd/webpki repo, or something?

...oh, I figured out why this is in my fork rather than linkerd's fork --- it's obvious in hindsight. turns out i don't have push permission for linkerd/webpki. @olix0r, mind adding me to the contributors for that repo so I can push the 0.22 branch?

@olix0r
Copy link
Member

olix0r commented Nov 8, 2021

@hawkw you should have access to linkerd/webpki now.

@olix0r olix0r merged commit 500dc3a into main Nov 9, 2021
@olix0r olix0r deleted the eliza/rustls-0.20-final branch November 9, 2021 00:17
hawkw
hawkw commented Nov 9, 2021
View reviewed changes
linkerd/meshtls/rustls/Cargo.toml
tokio-rustls = "0.23.1"
rustls = { version = "0.20", features = ["dangerous_configuration"] }
rustls-pemfile = "0.2"
tokio-rustls = { version = "0.23.1", features = ["dangerous_configuration"] }
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, i hadn't realized tokio-rustls also exposed that!

olix0r added a commit to linkerd/linkerd2 that referenced this pull request Nov 9, 2021
@olix0r
proxy: v2.166.0
5da8394 
This release updates the proxy's `rustls`, `ring`, and `webpki` dependencies.

Additionally, the proxy can now be built to use a `boringssl` backend
instead of the default `rustls` backend, but this functionality is
disabled in default builds.

---

* meshtls: replace build script with `compile_error!` macro (linkerd/linkerd2-proxy#1357)
* ci: Split actions into several workflows (linkerd/linkerd2-proxy#1356)
* ci: Make job names uniform (linkerd/linkerd2-proxy#1358)
* meshtls: allow building without any TLS impls enabled (linkerd/linkerd2-proxy#1359)
* `app-core` should not enable `meshtls-rustls` (linkerd/linkerd2-proxy#1360)
* Restore rustls credential tests (linkerd/linkerd2-proxy#1363)
* build(deps): bump hex from 0.3 to 0.4 (linkerd/linkerd2-proxy#1364)
* ci: Split jobs into 'fast' and 'slow' workflows (linkerd/linkerd2-proxy#1365)
* meshtls: Move TLS e2e tests into the meshtls crate (linkerd/linkerd2-proxy#1366)
* rustls: Tidy std::task imports (linkerd/linkerd2-proxy#1367)
* build(deps): bump serde_json from 1.0.68 to 1.0.69 (linkerd/linkerd2-proxy#1368)
* build(deps): bump libc from 0.2.106 to 0.2.107 (linkerd/linkerd2-proxy#1369)
* meshtls: Add a `boring` backend (linkerd/linkerd2-proxy#1351)
* meshtls-rustls: update to `rustls` 0.20 and `tokio-rustls` 0.23 (linkerd/linkerd2-proxy#1362)
@olix0r olix0r mentioned this pull request Nov 9, 2021
Merged
olix0r added a commit to linkerd/linkerd2 that referenced this pull request Nov 9, 2021
@olix0r
proxy: v2.166.0 (#7244)
814d7ed 
This release updates the proxy's `rustls`, `ring`, and `webpki` dependencies.

Additionally, the proxy can now be built to use a `boringssl` backend
instead of the default `rustls` backend, but this functionality is
disabled in default builds.

---

* meshtls: replace build script with `compile_error!` macro (linkerd/linkerd2-proxy#1357)
* ci: Split actions into several workflows (linkerd/linkerd2-proxy#1356)
* ci: Make job names uniform (linkerd/linkerd2-proxy#1358)
* meshtls: allow building without any TLS impls enabled (linkerd/linkerd2-proxy#1359)
* `app-core` should not enable `meshtls-rustls` (linkerd/linkerd2-proxy#1360)
* Restore rustls credential tests (linkerd/linkerd2-proxy#1363)
* build(deps): bump hex from 0.3 to 0.4 (linkerd/linkerd2-proxy#1364)
* ci: Split jobs into 'fast' and 'slow' workflows (linkerd/linkerd2-proxy#1365)
* meshtls: Move TLS e2e tests into the meshtls crate (linkerd/linkerd2-proxy#1366)
* rustls: Tidy std::task imports (linkerd/linkerd2-proxy#1367)
* build(deps): bump serde_json from 1.0.68 to 1.0.69 (linkerd/linkerd2-proxy#1368)
* build(deps): bump libc from 0.2.106 to 0.2.107 (linkerd/linkerd2-proxy#1369)
* meshtls: Add a `boring` backend (linkerd/linkerd2-proxy#1351)
* meshtls-rustls: update to `rustls` 0.20 and `tokio-rustls` 0.23 (linkerd/linkerd2-proxy#1362)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olix0r olix0r olix0r approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hawkw @olix0r