Skip to content

Commit

Permalink
Upgrade to hyper-rustls 0.27 and rustls 0.23
Browse files Browse the repository at this point in the history
  • Loading branch information
djc committed May 12, 2024
1 parent 3da5283 commit bd909b8
Show file tree
Hide file tree
Showing 10 changed files with 149 additions and 103 deletions.
6 changes: 3 additions & 3 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -715,12 +715,12 @@
- Timeouts now affect DNS and socket connection.
- Pool much better at evicting sockets when they die.
- An `unstable` Cargo feature to enable `reqwest::unstable::async`.
- A huge docs improvement!
- A huge docs improvement!

### Fixes

- Publicly exports `RedirectAction` and `RedirectAttempt`
- `Error::get_ref` returns `Error + Send + Sync`
- `Error::get_ref` returns `Error + Send + Sync`

### Breaking Changes

Expand Down Expand Up @@ -789,7 +789,7 @@

### Breaking Changes

The only breaking change is a behavioral one, all programs should still compile without modification. The automatic GZIP decoding could interfere in cases where a user was expecting the GZIP bytes, either to save to a file or decode themselves. To restore this functionality, set `client.gzip(false)`.
The only breaking change is a behavioral one, all programs should still compile without modification. The automatic GZIP decoding could interfere in cases where a user was expecting the GZIP bytes, either to save to a file or decode themselves. To restore this functionality, set `client.gzip(false)`.

# v0.4.0

Expand Down
28 changes: 18 additions & 10 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -41,9 +41,13 @@ native-tls-alpn = ["native-tls", "native-tls-crate?/alpn", "hyper-tls?/alpn"]
native-tls-vendored = ["native-tls", "native-tls-crate?/vendored"]

rustls-tls = ["rustls-tls-webpki-roots"]
rustls-tls-manual-roots = ["__rustls"]
rustls-tls-webpki-roots = ["dep:webpki-roots", "__rustls"]
rustls-tls-native-roots = ["dep:rustls-native-certs", "__rustls"]
rustls-tls-manual-roots = ["__rustls_crypto_ring"]
rustls-tls-webpki-roots = ["__rustls_roots_webpki", "__rustls_crypto_ring"]
rustls-tls-native-roots = ["__rustls_roots_native", "__rustls_crypto_ring"]
rustls-tls-aws-lc-manual-roots = ["__rustls_crypto_aws_lc"]
rustls-tls-aws-lc-webpki-roots = ["__rustls_roots_webpki", "__rustls_crypto_aws_lc"]
rustls-tls-aws-lc-native-roots = ["__rustls_roots_native", "__rustls_crypto_aws_lc"]
rustls-base = ["dep:hyper-rustls", "dep:tokio-rustls", "dep:rustls", "__tls", "rustls-pki-types"]

blocking = ["futures-channel/sink", "futures-util/io", "futures-util/sink", "tokio/sync"]

Expand Down Expand Up @@ -84,9 +88,13 @@ macos-system-configuration = ["dep:system-configuration"]
# Enables common types used for TLS. Useless on its own.
__tls = ["dep:rustls-pemfile", "tokio/io-util"]

# Enables common rustls code.
# Equivalent to rustls-tls-manual-roots but shorter :)
__rustls = ["dep:hyper-rustls", "dep:tokio-rustls", "dep:rustls", "__tls", "dep:rustls-pemfile", "rustls-pki-types"]
# Provide common feature flags along two axes:
# - crypto provider: ring or aws-lc
# - root certificate provider: webpki-roots or rustls-native-certs
__rustls_roots_webpki = ["dep:webpki-roots"]
__rustls_roots_native = ["dep:rustls-native-certs"]
__rustls_crypto_ring = ["rustls-base", "rustls/ring"]
__rustls_crypto_aws_lc = ["rustls-base", "rustls/aws_lc_rs"]

# When enabled, disable using the cached SYS_PROXIES.
__internal_proxy_sys_no_cache = []
Expand Down Expand Up @@ -134,10 +142,10 @@ native-tls-crate = { version = "0.2.10", optional = true, package = "native-tls"
tokio-native-tls = { version = "0.3.0", optional = true }

# rustls-tls
hyper-rustls = { version = "0.26.0", default-features = false, optional = true }
rustls = { version = "0.22.2", optional = true }
rustls-pki-types = { version = "1.1.0", features = ["alloc"] ,optional = true }
tokio-rustls = { version = "0.25", optional = true }
hyper-rustls = { version = "0.27", default-features = false, optional = true, features = ["http1", "http2", "logging", "native-tokio", "ring", "tls12"] }
rustls = { version = "0.23.4", default-features = false, features = ["logging", "std", "tls12"], optional = true }
rustls-pki-types = { version = "1.1.0", features = ["alloc"], optional = true }
tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "ring", "tls12"], optional = true }
webpki-roots = { version = "0.26.0", optional = true }
rustls-native-certs = { version = "0.7", optional = true }

Expand Down
79 changes: 51 additions & 28 deletions src/async_impl/client.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#[cfg(any(feature = "native-tls", feature = "__rustls",))]
#[cfg(any(feature = "native-tls", feature = "rustls-base",))]
use std::any::Any;
use std::net::IpAddr;
use std::sync::Arc;
Expand Down Expand Up @@ -43,7 +43,7 @@ use crate::redirect::{self, remove_sensitive_headers};
use crate::tls::{self, TlsBackend};
#[cfg(feature = "__tls")]
use crate::Certificate;
#[cfg(any(feature = "native-tls", feature = "__rustls"))]
#[cfg(any(feature = "native-tls", feature = "rustls-base"))]
use crate::Identity;
use crate::{IntoUrl, Method, Proxy, StatusCode, Url};
use log::debug;
Expand Down Expand Up @@ -102,7 +102,7 @@ struct Config {
pool_idle_timeout: Option<Duration>,
pool_max_idle_per_host: usize,
tcp_keepalive: Option<Duration>,
#[cfg(any(feature = "native-tls", feature = "__rustls"))]
#[cfg(any(feature = "native-tls", feature = "rustls-base"))]
identity: Option<Identity>,
proxies: Vec<Proxy>,
auto_sys_proxy: bool,
Expand All @@ -114,9 +114,9 @@ struct Config {
root_certs: Vec<Certificate>,
#[cfg(feature = "__tls")]
tls_built_in_root_certs: bool,
#[cfg(feature = "rustls-tls-webpki-roots")]
#[cfg(feature = "__rustls_roots_webpki")]
tls_built_in_certs_webpki: bool,
#[cfg(feature = "rustls-tls-native-roots")]
#[cfg(feature = "__rustls_roots_native")]
tls_built_in_certs_native: bool,
#[cfg(feature = "__tls")]
min_tls_version: Option<tls::Version>,
Expand Down Expand Up @@ -211,11 +211,11 @@ impl ClientBuilder {
root_certs: Vec::new(),
#[cfg(feature = "__tls")]
tls_built_in_root_certs: true,
#[cfg(feature = "rustls-tls-webpki-roots")]
#[cfg(feature = "__rustls_roots_webpki")]
tls_built_in_certs_webpki: true,
#[cfg(feature = "rustls-tls-native-roots")]
#[cfg(feature = "__rustls_roots_native")]
tls_built_in_certs_native: true,
#[cfg(any(feature = "native-tls", feature = "__rustls"))]
#[cfg(any(feature = "native-tls", feature = "rustls-base"))]
identity: None,
#[cfg(feature = "__tls")]
min_tls_version: None,
Expand Down Expand Up @@ -317,7 +317,7 @@ impl ClientBuilder {
let mut http = HttpConnector::new_with_resolver(DynResolver::new(resolver.clone()));
http.set_connect_timeout(config.connect_timeout);

#[cfg(all(feature = "http3", feature = "__rustls"))]
#[cfg(all(feature = "http3", feature = "rustls-base"))]
let build_h3_connector =
|resolver,
tls,
Expand Down Expand Up @@ -409,7 +409,7 @@ impl ClientBuilder {
id.add_to_native_tls(&mut tls)?;
}
}
#[cfg(all(feature = "__rustls", not(feature = "native-tls")))]
#[cfg(all(feature = "rustls-base", not(feature = "native-tls")))]
{
// Default backend + rustls Identity doesn't work.
if let Some(_id) = config.identity {
Expand Down Expand Up @@ -466,7 +466,7 @@ impl ClientBuilder {
config.nodelay,
config.tls_info,
),
#[cfg(feature = "__rustls")]
#[cfg(feature = "rustls-base")]
TlsBackend::BuiltRustls(conn) => {
#[cfg(feature = "http3")]
{
Expand Down Expand Up @@ -498,7 +498,10 @@ impl ClientBuilder {
config.tls_info,
)
}
#[cfg(feature = "__rustls")]
#[cfg(any(
feature = "__rustls_crypto_ring",
feature = "__rustls_crypto_aws_lc-rs"
))]
TlsBackend::Rustls => {
use crate::tls::NoVerifier;

Expand All @@ -508,12 +511,12 @@ impl ClientBuilder {
cert.add_to_rustls(&mut root_cert_store)?;
}

#[cfg(feature = "rustls-tls-webpki-roots")]
#[cfg(feature = "__rustls_roots_webpki")]
if config.tls_built_in_certs_webpki {
root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
}

#[cfg(feature = "rustls-tls-native-roots")]
#[cfg(feature = "__rustls_roots_native")]
if config.tls_built_in_certs_native {
let mut valid_count = 0;
let mut invalid_count = 0;
Expand Down Expand Up @@ -566,8 +569,19 @@ impl ClientBuilder {
}

// Build TLS config
#[cfg(feature = "__rustls_crypto_ring")]
let provider = rustls::crypto::ring::default_provider();

#[cfg(all(
feature = "__rustls_crypto_aws_lc-rs",
not(feature = "__rustls_crypto_ring")
))]
let provider = rustls::crypto::aws_lc_rs::default_provider();

let config_builder =
rustls::ClientConfig::builder_with_protocol_versions(&versions)
rustls::ClientConfig::builder_with_provider(Arc::new(provider))
.with_protocol_versions(&versions)
.map_err(|_| crate::error::builder("invalid TLS versions"))?
.with_root_certificates(root_cert_store);

// Finalize TLS config
Expand Down Expand Up @@ -639,7 +653,7 @@ impl ClientBuilder {
config.tls_info,
)
}
#[cfg(any(feature = "native-tls", feature = "__rustls",))]
#[cfg(any(feature = "native-tls", feature = "rustls-base",))]
TlsBackend::UnknownPreconfigured => {
return Err(crate::error::builder(
"Unknown TLS backend passed to `use_preconfigured_tls`",
Expand Down Expand Up @@ -1400,12 +1414,12 @@ impl ClientBuilder {
pub fn tls_built_in_root_certs(mut self, tls_built_in_root_certs: bool) -> ClientBuilder {
self.config.tls_built_in_root_certs = tls_built_in_root_certs;

#[cfg(feature = "rustls-tls-webpki-roots")]
#[cfg(feature = "__rustls_roots_webpki")]
{
self.config.tls_built_in_certs_webpki = tls_built_in_root_certs;
}

#[cfg(feature = "rustls-tls-native-roots")]
#[cfg(feature = "__rustls_roots_native")]
{
self.config.tls_built_in_certs_native = tls_built_in_root_certs;
}
Expand All @@ -1416,8 +1430,8 @@ impl ClientBuilder {
/// Sets whether to load webpki root certs with rustls.
///
/// If the feature is enabled, this value is `true` by default.
#[cfg(feature = "rustls-tls-webpki-roots")]
#[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-webpki-roots")))]
#[cfg(feature = "__rustls_roots_webpki")]
#[cfg_attr(docsrs, doc(cfg(feature = "__rustls_roots_webpki")))]
pub fn tls_built_in_webpki_certs(mut self, enabled: bool) -> ClientBuilder {
self.config.tls_built_in_certs_webpki = enabled;
self
Expand All @@ -1426,8 +1440,8 @@ impl ClientBuilder {
/// Sets whether to load native root certs with rustls.
///
/// If the feature is enabled, this value is `true` by default.
#[cfg(feature = "rustls-tls-native-roots")]
#[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-native-roots")))]
#[cfg(feature = "__rustls_roots_native")]
#[cfg_attr(docsrs, doc(cfg(feature = "__rustls_roots_native")))]
pub fn tls_built_in_native_certs(mut self, enabled: bool) -> ClientBuilder {
self.config.tls_built_in_certs_native = enabled;
self
Expand All @@ -1439,7 +1453,7 @@ impl ClientBuilder {
///
/// This requires the optional `native-tls` or `rustls-tls(-...)` feature to be
/// enabled.
#[cfg(any(feature = "native-tls", feature = "__rustls"))]
#[cfg(any(feature = "native-tls", feature = "rustls-base"))]
#[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))]
pub fn identity(mut self, identity: Identity) -> ClientBuilder {
self.config.identity = Some(identity);
Expand Down Expand Up @@ -1606,8 +1620,17 @@ impl ClientBuilder {
/// # Optional
///
/// This requires the optional `rustls-tls(-...)` feature to be enabled.
#[cfg(feature = "__rustls")]
#[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls")))]
#[cfg(any(
feature = "__rustls_crypto_ring",
feature = "__rustls_crypto_aws_lc-rs"
))]
#[cfg_attr(
docsrs,
doc(cfg(any(
feature = "__rustls_crypto_ring",
feature = "__rustls_crypto_aws_lc-rs"
)))
)]
pub fn use_rustls_tls(mut self) -> ClientBuilder {
self.config.tls = TlsBackend::Rustls;
self
Expand All @@ -1631,7 +1654,7 @@ impl ClientBuilder {
///
/// This requires one of the optional features `native-tls` or
/// `rustls-tls(-...)` to be enabled.
#[cfg(any(feature = "native-tls", feature = "__rustls",))]
#[cfg(any(feature = "native-tls", feature = "rustls-base",))]
#[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))]
pub fn use_preconfigured_tls(mut self, tls: impl Any) -> ClientBuilder {
let mut tls = Some(tls);
Expand All @@ -1644,7 +1667,7 @@ impl ClientBuilder {
return self;
}
}
#[cfg(feature = "__rustls")]
#[cfg(feature = "rustls-base")]
{
if let Some(conn) =
(&mut tls as &mut dyn Any).downcast_mut::<Option<rustls::ClientConfig>>()
Expand Down Expand Up @@ -2244,7 +2267,7 @@ impl Config {
f.field("tls_info", &self.tls_info);
}

#[cfg(all(feature = "default-tls", feature = "__rustls"))]
#[cfg(all(feature = "default-tls", feature = "rustls-base"))]
{
f.field("tls_backend", &self.tls);
}
Expand Down
18 changes: 9 additions & 9 deletions src/blocking/client.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#[cfg(any(feature = "native-tls", feature = "__rustls",))]
#[cfg(any(feature = "native-tls", feature = "rustls-base",))]
use std::any::Any;
use std::convert::TryInto;
use std::fmt;
Expand All @@ -21,7 +21,7 @@ use crate::dns::Resolve;
use crate::tls;
#[cfg(feature = "__tls")]
use crate::Certificate;
#[cfg(any(feature = "native-tls", feature = "__rustls"))]
#[cfg(any(feature = "native-tls", feature = "rustls-base"))]
use crate::Identity;
use crate::{async_impl, header, redirect, IntoUrl, Method, Proxy};

Expand Down Expand Up @@ -630,17 +630,17 @@ impl ClientBuilder {
/// Sets whether to load webpki root certs with rustls.
///
/// If the feature is enabled, this value is `true` by default.
#[cfg(feature = "rustls-tls-webpki-roots")]
#[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-webpki-roots")))]
#[cfg(feature = "__rustls_roots_webpki")]
#[cfg_attr(docsrs, doc(cfg(feature = "__rustls_roots_webpki")))]
pub fn tls_built_in_webpki_certs(self, enabled: bool) -> ClientBuilder {
self.with_inner(move |inner| inner.tls_built_in_webpki_certs(enabled))
}

/// Sets whether to load native root certs with rustls.
///
/// If the feature is enabled, this value is `true` by default.
#[cfg(feature = "rustls-tls-native-roots")]
#[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-native-roots")))]
#[cfg(feature = "__rustls_roots_native")]
#[cfg_attr(docsrs, doc(cfg(feature = "__rustls_roots_native")))]
pub fn tls_built_in_native_certs(self, enabled: bool) -> ClientBuilder {
self.with_inner(move |inner| inner.tls_built_in_native_certs(enabled))
}
Expand All @@ -651,7 +651,7 @@ impl ClientBuilder {
///
/// This requires the optional `native-tls` or `rustls-tls(-...)` feature to be
/// enabled.
#[cfg(any(feature = "native-tls", feature = "__rustls"))]
#[cfg(any(feature = "native-tls", feature = "rustls-base"))]
#[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))]
pub fn identity(self, identity: Identity) -> ClientBuilder {
self.with_inner(move |inner| inner.identity(identity))
Expand Down Expand Up @@ -795,7 +795,7 @@ impl ClientBuilder {
/// # Optional
///
/// This requires the optional `rustls-tls(-...)` feature to be enabled.
#[cfg(feature = "__rustls")]
#[cfg(feature = "rustls-base")]
#[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls")))]
pub fn use_rustls_tls(self) -> ClientBuilder {
self.with_inner(move |inner| inner.use_rustls_tls())
Expand Down Expand Up @@ -838,7 +838,7 @@ impl ClientBuilder {
///
/// This requires one of the optional features `native-tls` or
/// `rustls-tls(-...)` to be enabled.
#[cfg(any(feature = "native-tls", feature = "__rustls",))]
#[cfg(any(feature = "native-tls", feature = "rustls-base",))]
#[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))]
pub fn use_preconfigured_tls(self, tls: impl Any) -> ClientBuilder {
self.with_inner(move |inner| inner.use_preconfigured_tls(tls))
Expand Down
Loading

0 comments on commit bd909b8

Please sign in to comment.