[enhancement]: update rustls dependency to one requiring ring 0.17

[landryb]

Which feature or improvement would you like to request?

I'd like to see this feature: On OpenBSD, ring crate has proper support for libressl for various architectures only in version 0.17. For now, stalwart-mail requires several versions of ring via several versions of rustls, but support for ring 0.17 was added to rustls in https://github.com/rustls/rustls/releases/tag/v%2F0.21.8

im not fully grasping the dependency trees of cargo ecosystem, but is it possible to upgrade some dependencies so that we can only use/require ring 0.17 in the end ?

Is your feature request related to a problem?

I'm having a problem with...

Code of Conduct

• I agree to follow this project's Code of Conduct

[mdecimus]

Hi,

Stalwart already uses ring version 0.17 and a rustls that uses this same version. The problem seems to be other crates such as lldap which are still using ring 0.16.
This is also causing issues cross compiling the Windows version for aarch64. I will try contacting the crate's maintainers and ask them to upgrade.

[landryb]

thanks @mdecimus , from my reading of inejge/ldap3#117 it seems to be mostly a matter of having a release of lldap ?

[landryb]

ah and sorry for the initial wrong first comment, we 'need' ring 0.17 because ring 0.16's assembly (from boringssl) isnt compatible with execute-only and missing landing pads for CFI which is a security feature

[mdecimus]

I just executed cargo tree and there three multiple dependencies still linking 0.16:

• rust-s3, but this can be avoided if you don't need S3 support.
• ldap3
• hickory-proto

Here is cargo tree's output:

│   │   │   ├── rust-s3 v0.33.0
│   │   │   │   ├── async-trait v0.1.80 (proc-macro) (*)
│   │   │   │   ├── aws-creds v0.34.1
│   │   │   │   │   ├── attohttpc v0.22.0
│   │   │   │   │   │   ├── http v0.2.12 (*)
│   │   │   │   │   │   ├── log v0.4.21
│   │   │   │   │   │   ├── rustls v0.20.9
│   │   │   │   │   │   │   ├── log v0.4.21
│   │   │   │   │   │   │   ├── ring v0.16.20 (*)

...

│   ├── ldap3 v0.11.3
│   │   ├── async-trait v0.1.80 (proc-macro) (*)
│   │   ├── bytes v1.6.0
│   │   ├── futures v0.3.30 (*)
│   │   ├── futures-util v0.3.30 (*)
│   │   ├── lazy_static v1.4.0 (*)
│   │   ├── lber v0.4.2
│   │   │   ├── bytes v1.6.0
│   │   │   └── nom v7.1.3 (*)
│   │   ├── log v0.4.21
│   │   ├── nom v7.1.3 (*)
│   │   ├── percent-encoding v2.3.1
│   │   ├── ring v0.16.20 (*)

...

│   │   │   │   │   │   │   ├── hickory-proto v0.24.1
│   │   │   │   │   │   │   │   ├── async-trait v0.1.80 (proc-macro) (*)
│   │   │   │   │   │   │   │   ├── bytes v1.6.0
│   │   │   │   │   │   │   │   ├── cfg-if v1.0.0
│   │   │   │   │   │   │   │   ├── data-encoding v2.6.0
│   │   │   │   │   │   │   │   ├── enum-as-inner v0.6.0 (proc-macro)
│   │   │   │   │   │   │   │   │   ├── heck v0.4.1
│   │   │   │   │   │   │   │   │   ├── proc-macro2 v1.0.82 (*)
│   │   │   │   │   │   │   │   │   ├── quote v1.0.36 (*)
│   │   │   │   │   │   │   │   │   └── syn v2.0.63 (*)
│   │   │   │   │   │   │   │   ├── futures-channel v0.3.30 (*)
│   │   │   │   │   │   │   │   ├── futures-io v0.3.30
│   │   │   │   │   │   │   │   ├── futures-util v0.3.30 (*)
│   │   │   │   │   │   │   │   ├── h2 v0.3.26 (*)
│   │   │   │   │   │   │   │   ├── http v0.2.12 (*)
│   │   │   │   │   │   │   │   ├── idna v0.4.0
│   │   │   │   │   │   │   │   │   ├── unicode-bidi v0.3.15
│   │   │   │   │   │   │   │   │   └── unicode-normalization v0.1.23 (*)
│   │   │   │   │   │   │   │   ├── ipnet v2.9.0
│   │   │   │   │   │   │   │   ├── once_cell v1.19.0
│   │   │   │   │   │   │   │   ├── rand v0.8.5 (*)
│   │   │   │   │   │   │   │   ├── ring v0.16.20

[landryb]

why was this issue closed ? i see nothing changed wrt the transitive dependencies on ring 0.16..

[mdecimus]

Stalwart is already using ring 0.17. Once rust-s3, ldap3 and hickory-proto upgrade to 0.17 the old version will no longer be included.

[landryb]

just for tracking purposes so that i don't have to look again:

• ldap3 was updated in master inejge/ldap3@1cfe6a0 - needs a release from a 0.12 branch ?
• hickory dns in hickory-dns/hickory-dns@b0c0566, needs a proper 0.25 release ?
• attohttpc (dependency of aws-cred, dependency of rust-s3) was updated in Update to rustls 0.22 sbstp/attohttpc#154

[williamdes]

See: https://github.com/hickory-dns/hickory-dns/releases/tag/v0.25.0-alpha.2 for testing