tokio 0.12 migration causes UnknownIssuer errors with lightwallet servers using Let's Encrypt

[str4d]

#1446 migrated us from tokio 0.11 to tokio 0.12. This results in dependency updates that cause the following error when trying to connect to zec.rocks:

INFO zec_sqlite_cli::remote: Connecting to zec.rocks:443
Error: transport error

Caused by:
    0: invalid peer certificate: UnknownIssuer
    1: invalid peer certificate: UnknownIssuer

zec.rocks has this certificate chain:

$ echo quit | openssl s_client -showcerts -servername zec.rocks -connect zec.rocks:443 >zec.rocks.pem
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = zec.rocks
verify return:1
DONE

$ cat zec.rocks.pem

CONNECTED(00000003)
---
Certificate chain
 0 s:CN = zec.rocks
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 28 23:25:39 2024 GMT; NotAfter: Aug 26 23:25:38 2024 GMT
-----BEGIN CERTIFICATE-----
MIIEEzCCAvugAwIBAgISAy/kdOxAsW7vVouWK843ahYzMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yNDA1MjgyMzI1MzlaFw0yNDA4MjYyMzI1MzhaMBQxEjAQBgNVBAMT
CXplYy5yb2NrczBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGRdbaS9ttli4ny8
9Vvwvt/B16lK70iqiKcyLyTeGj4p9z20WxEIok9D0vOrG9uYXGGoU399bir/7b7i
89A8OxijggIKMIICBjAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFEgN471CWEM7QnTN
1QZJLb+a7OqUMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsG
AQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIG
CCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMBQGA1UdEQQNMAuCCXpl
Yy5yb2NrczATBgNVHSAEDDAKMAgGBmeBDAECATCCAQMGCisGAQQB1nkCBAIEgfQE
gfEA7wB1AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdMWjp0AAABj8G9AK8A
AAQDAEYwRAIgIdKfKsBjvX0xTahZ0drXQ9ZsXGq5NQ/wsTUTjM3GgEYCIFL6CkbZ
Gkw2UTbKRcFQvyCdaDWbRSeWiHUv1zYkcAvdAHYASLDja9qmRzQP5WoC+p0w6xxS
ActW3SyB2bu/qznYhHMAAAGPwb0AZAAABAMARzBFAiEApkMjdBbS2BmrdXGjvgmO
67Dz8K17pZ4QEWJZrjd/fiICIFaLK2qAqJXIBMJzhACC4WoEEwG1NthNvEn712MM
Mgm4MA0GCSqGSIb3DQEBCwUAA4IBAQCeTGVx7MlRCxJL3TiNSbTex4bdfHbPjafy
3bz5Tv/+d1r+dDbxk7Mz/Th+iv57VzlznNaauigsrR594dM+Nz5ijhY7Agb5DBUa
O4ia+FBJdM5lDU8J2tpBbn5eN+J6XkM0UPBPQBkGm3v0flyKLfjqpZWSEe+XW9OO
iVRA3fNZ57dJhiwQ7mT9cXdYnhlTMgqUz2Uom4YKMy0VPD9/H6U3YlWt52tSdBNR
yfu8jq29A1e+0AsMb2pMpB37CzmejnOuQmMu4kLok8YMYpP6TlsO97SY+7fhaUHm
QYp/YnupTpTVoW7cUu9a9qXPvD0aZfhNJ3dCl2fkYaa3IVn6JL38
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = zec.rocks
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2733 bytes and written 391 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

My suspicion is that something in the upgrade is preventing the ISRG Root X1 root from being found.

[str4d]

This is the full current diff resulting from migrating zec-sqlite-cli from the main commit just before #1446 to the main commit merging that PR, and after update version minimisation for the TLS-related dependencies:

Click to view

commit 23b3920563744de8732fb41bbf0175a98859d133
Author: Jack Grigg <jack@electriccoin.co>
Date:   Wed Jul 24 17:32:18 2024 +0000

    Migrate to `librustzcash` revision just after `tonic 0.12`

diff --git a/Cargo.lock b/Cargo.lock
index 2bc2b58..9c0c4c5 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -131,6 +131,12 @@ dependencies = [
  "syn 2.0.66",
 ]
 
+[[package]]
+name = "atomic-waker"
+version = "1.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
+
 [[package]]
 name = "autocfg"
 version = "1.3.0"
@@ -139,18 +145,17 @@ checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0"
 
 [[package]]
 name = "axum"
-version = "0.6.20"
+version = "0.7.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3b829e4e32b91e643de6eafe82b1d90675f5874230191a4ffbc1b336dec4d6bf"
+checksum = "3a6c9af12842a67734c9a2e355436e5d03b22383ed60cf13cd0c18fbfe3dcbcf"
 dependencies = [
  "async-trait",
  "axum-core",
- "bitflags 1.3.2",
  "bytes",
  "futures-util",
  "http",
  "http-body",
- "hyper",
+ "http-body-util",
  "itoa",
  "matchit",
  "memchr",
@@ -159,7 +164,7 @@ dependencies = [
  "pin-project-lite",
  "rustversion",
  "serde",
- "sync_wrapper",
+ "sync_wrapper 1.0.1",
  "tower",
  "tower-layer",
  "tower-service",
@@ -167,17 +172,20 @@ dependencies = [
 
 [[package]]
 name = "axum-core"
-version = "0.3.4"
+version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "759fa577a247914fd3f7f76d62972792636412fbfd634cd452f6a385a74d2d2c"
+checksum = "a15c63fd72d41492dc4f497196f5da1fb04fb7529e631d73630d1b491e47a2e3"
 dependencies = [
  "async-trait",
  "bytes",
  "futures-util",
  "http",
  "http-body",
+ "http-body-util",
  "mime",
+ "pin-project-lite",
  "rustversion",
+ "sync_wrapper 0.1.2",
  "tower-layer",
  "tower-service",
 ]
@@ -278,12 +286,6 @@ dependencies = [
  "zeroize",
 ]
 
-[[package]]
-name = "bitflags"
-version = "1.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
-
 [[package]]
 name = "bitflags"
 version = "2.5.0"
@@ -552,7 +554,7 @@ version = "0.27.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f476fe445d41c9e991fd07515a6f463074b782242ccf4a5b7b1d1012e70824df"
 dependencies = [
- "bitflags 2.5.0",
+ "bitflags",
  "crossterm_winapi",
  "futures-core",
  "libc",
@@ -641,7 +643,7 @@ checksum = "3dca9240753cf90908d7e4aac30f630662b02aebaa1b58a3cadabdb23385b58b"
 [[package]]
 name = "equihash"
 version = "0.2.0"
-source = "git+https://github.com/zcash/librustzcash?rev=34cf6d286a201caf7dfee29fbee867d547afc486#34cf6d286a201caf7dfee29fbee867d547afc486"
+source = "git+https://github.com/zcash/librustzcash?rev=73d0c5b68b1910d88b4e0ba095916b11fa49dc88#73d0c5b68b1910d88b4e0ba095916b11fa49dc88"
 dependencies = [
  "blake2b_simd",
  "byteorder",
@@ -666,7 +668,7 @@ dependencies = [
 [[package]]
 name = "f4jumble"
 version = "0.1.0"
-source = "git+https://github.com/zcash/librustzcash?rev=34cf6d286a201caf7dfee29fbee867d547afc486#34cf6d286a201caf7dfee29fbee867d547afc486"
+source = "git+https://github.com/zcash/librustzcash?rev=73d0c5b68b1910d88b4e0ba095916b11fa49dc88#73d0c5b68b1910d88b4e0ba095916b11fa49dc88"
 dependencies = [
  "blake2b_simd",
 ]
@@ -864,15 +866,15 @@ dependencies = [
 
 [[package]]
 name = "h2"
-version = "0.3.26"
+version = "0.4.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "81fe527a889e1532da5c525686d96d4c2e74cdd345badf8dfef9f6b39dd5f5e8"
+checksum = "fa82e28a107a8cc405f0839610bdc9b15f1e25ec7d696aa5cf173edbcb1486ab"
 dependencies = [
+ "atomic-waker",
  "bytes",
  "fnv",
  "futures-core",
  "futures-sink",
- "futures-util",
  "http",
  "indexmap 2.2.6",
  "slab",
@@ -984,9 +986,9 @@ dependencies = [
 
 [[package]]
 name = "http"
-version = "0.2.12"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "601cbb57e577e2f5ef5be8e7b83f0f63994f25aa94d673e54a92d5c516d101f1"
+checksum = "21b9ddb458710bc376481b842f5da65cdf31522de232c1ca8146abce2a358258"
 dependencies = [
  "bytes",
  "fnv",
@@ -995,12 +997,24 @@ dependencies = [
 
 [[package]]
 name = "http-body"
-version = "0.4.6"
+version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7ceab25649e9960c0311ea418d17bee82c0dcec1bd053b5f9a66e265a693bed2"
+checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184"
 dependencies = [
  "bytes",
  "http",
+]
+
+[[package]]
+name = "http-body-util"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "793429d76616a256bcb62c2a2ec2bed781c8307e797e2598c50010f2bee2544f"
+dependencies = [
+ "bytes",
+ "futures-util",
+ "http",
+ "http-body",
  "pin-project-lite",
 ]
 
@@ -1018,13 +1032,12 @@ checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
 
 [[package]]
 name = "hyper"
-version = "0.14.29"
+version = "1.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f361cde2f109281a220d4307746cdfd5ee3f410da58a70377762396775634b33"
+checksum = "50dfd22e0e76d0f662d429a5f80fcaf3855009297eab6a0a9f8543834744ba05"
 dependencies = [
  "bytes",
  "futures-channel",
- "futures-core",
  "futures-util",
  "h2",
  "http",
@@ -1033,23 +1046,42 @@ dependencies = [
  "httpdate",
  "itoa",
  "pin-project-lite",
- "socket2",
+ "smallvec",
  "tokio",
- "tower-service",
- "tracing",
  "want",
 ]
 
 [[package]]
 name = "hyper-timeout"
-version = "0.4.1"
+version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbb958482e8c7be4bc3cf272a766a2b0bf1a6755e7a6ae777f017a31d11b13b1"
+checksum = "3203a961e5c83b6f5498933e78b6b263e208c197b63e9c6c53cc82ffd3f63793"
 dependencies = [
  "hyper",
+ "hyper-util",
  "pin-project-lite",
  "tokio",
- "tokio-io-timeout",
+ "tower-service",
+]
+
+[[package]]
+name = "hyper-util"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3ab92f4f49ee4fb4f997c784b7a2e0fa70050211e0b6a287f898c3c9785ca956"
+dependencies = [
+ "bytes",
+ "futures-channel",
+ "futures-util",
+ "http",
+ "http-body",
+ "hyper",
+ "pin-project-lite",
+ "socket2",
+ "tokio",
+ "tower",
+ "tower-service",
+ "tracing",
 ]
 
 [[package]]
@@ -1612,9 +1644,9 @@ dependencies = [
 
 [[package]]
 name = "prost"
-version = "0.12.6"
+version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "deb1435c188b76130da55f17a466d252ff7b1418b2ad3e037d127b94e3411f29"
+checksum = "e13db3d3fde688c61e2446b4d843bc27a7e8af269a69440c0308021dc92333cc"
 dependencies = [
  "bytes",
  "prost-derive",
@@ -1622,9 +1654,9 @@ dependencies = [
 
 [[package]]
 name = "prost-build"
-version = "0.12.6"
+version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22505a5c94da8e3b7c2996394d1c933236c4d743e81a410bcca4e6989fc066a4"
+checksum = "5bb182580f71dd070f88d01ce3de9f4da5021db7115d2e1c3605a754153b77c1"
 dependencies = [
  "bytes",
  "heck",
@@ -1643,9 +1675,9 @@ dependencies = [
 
 [[package]]
 name = "prost-derive"
-version = "0.12.6"
+version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "81bddcdb20abf9501610992b6759a4c888aef7d1a7247ef75e2404275ac24af1"
+checksum = "18bec9b0adc4eba778b33684b7ba3e7137789434769ee3ce3930463ef904cfca"
 dependencies = [
  "anyhow",
  "itertools",
@@ -1656,9 +1688,9 @@ dependencies = [
 
 [[package]]
 name = "prost-types"
-version = "0.12.6"
+version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9091c90b0a32608e984ff2fa4091273cbdd755d54935c51d520887f4a1dbd5b0"
+checksum = "cee5168b05f49d4b0ca581206eb14a7b22fafd963efe729ac48eb03266e25cc2"
 dependencies = [
  "prost",
 ]
@@ -1714,7 +1746,7 @@ version = "0.26.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f44c9e68fd46eda15c646fbb85e1040b657a58cdc8c98db1d97a55930d991eef"
 dependencies = [
- "bitflags 2.5.0",
+ "bitflags",
  "cassowary",
  "compact_str",
  "crossterm",
@@ -1785,7 +1817,7 @@ version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c82cf8cff14456045f55ec4241383baeff27af886adb72ffb2162f99911de0fd"
 dependencies = [
- "bitflags 2.5.0",
+ "bitflags",
 ]
 
 [[package]]
@@ -1872,7 +1904,7 @@ version = "0.29.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "549b9d036d571d42e6e85d1c1425e2ac83491075078ca9a15be021c56b1641f2"
 dependencies = [
- "bitflags 2.5.0",
+ "bitflags",
  "fallible-iterator",
  "fallible-streaming-iterator",
  "hashlink",
@@ -1902,7 +1934,7 @@ version = "0.38.34"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "70dc5ec042f7a43c4a73241207cecc9873a06d45debb38b329f8541d85c2730f"
 dependencies = [
- "bitflags 2.5.0",
+ "bitflags",
  "errno",
  "libc",
  "linux-raw-sys",
@@ -1911,11 +1943,12 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.22.4"
+version = "0.23.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bf4ef73721ac7bcd79b2b315da7779d8fc09718c6b3d2d1b2d94850eb8c18432"
+checksum = "53e56521f047352df0db9a3c5aafc573eeb8909ab80f9d4cba201d8d73539009"
 dependencies = [
  "log",
+ "once_cell",
  "ring",
  "rustls-pki-types",
  "rustls-webpki",
@@ -2145,7 +2178,7 @@ name = "shardtree"
 version = "0.3.1"
 source = "git+https://github.com/zcash/incrementalmerkletree?rev=337f59179eda51261e9ddfc6b18e8fb84ea277c9#337f59179eda51261e9ddfc6b18e8fb84ea277c9"
 dependencies = [
- "bitflags 2.5.0",
+ "bitflags",
  "either",
  "incrementalmerkletree",
  "tracing",
@@ -2348,6 +2381,12 @@ version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2047c6ded9c721764247e62cd3b03c09ffc529b2ba5b10ec482ae507a4a70160"
 
+[[package]]
+name = "sync_wrapper"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7065abeca94b6a8a577f9bd45aa0867a2238b74e8eb67cf10d492bc39351394"
+
 [[package]]
 name = "tap"
 version = "1.0.1"
@@ -2498,16 +2537,6 @@ dependencies = [
  "windows-sys 0.48.0",
 ]
 
-[[package]]
-name = "tokio-io-timeout"
-version = "1.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "30b74022ada614a1b4834de765f9bb43877f910cc8ce4be40e89042c9223a8bf"
-dependencies = [
- "pin-project-lite",
- "tokio",
-]
-
 [[package]]
 name = "tokio-macros"
 version = "2.3.0"
@@ -2521,9 +2550,9 @@ dependencies = [
 
 [[package]]
 name = "tokio-rustls"
-version = "0.25.0"
+version = "0.26.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f"
+checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4"
 dependencies = [
  "rustls",
  "rustls-pki-types",
@@ -2590,26 +2619,28 @@ dependencies = [
 
 [[package]]
 name = "tonic"
-version = "0.11.0"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "76c4eb7a4e9ef9d4763600161f12f5070b92a578e1b634db88a6887844c91a13"
+checksum = "38659f4a91aba8598d27821589f5db7dddd94601e7a01b1e485a50e5484c7401"
 dependencies = [
  "async-stream",
  "async-trait",
  "axum",
- "base64 0.21.7",
+ "base64 0.22.1",
  "bytes",
  "flate2",
  "h2",
  "http",
  "http-body",
+ "http-body-util",
  "hyper",
  "hyper-timeout",
+ "hyper-util",
  "percent-encoding",
  "pin-project",
  "prost",
  "rustls-pemfile",
- "rustls-pki-types",
+ "socket2",
  "tokio",
  "tokio-rustls",
  "tokio-stream",
@@ -2622,9 +2653,9 @@ dependencies = [
 
 [[package]]
 name = "tonic-build"
-version = "0.11.0"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "be4ef6dd70a610078cb4e338a0f79d06bc759ff1b22d2120c2ff02ae264ba9c2"
+checksum = "568392c5a2bd0020723e3f387891176aabafe36fd9fcd074ad309dfa0c8eb964"
 dependencies = [
  "prettyplease",
  "proc-macro2",
@@ -3130,7 +3161,7 @@ checksum = "213b7324336b53d2414b2db8537e56544d981803139155afa84f76eeebb7a546"
 [[package]]
 name = "zcash_address"
 version = "0.3.2"
-source = "git+https://github.com/zcash/librustzcash?rev=34cf6d286a201caf7dfee29fbee867d547afc486#34cf6d286a201caf7dfee29fbee867d547afc486"
+source = "git+https://github.com/zcash/librustzcash?rev=73d0c5b68b1910d88b4e0ba095916b11fa49dc88#73d0c5b68b1910d88b4e0ba095916b11fa49dc88"
 dependencies = [
  "bech32",
  "bs58",
@@ -3142,7 +3173,7 @@ dependencies = [
 [[package]]
 name = "zcash_client_backend"
 version = "0.12.1"
-source = "git+https://github.com/zcash/librustzcash?rev=34cf6d286a201caf7dfee29fbee867d547afc486#34cf6d286a201caf7dfee29fbee867d547afc486"
+source = "git+https://github.com/zcash/librustzcash?rev=73d0c5b68b1910d88b4e0ba095916b11fa49dc88#73d0c5b68b1910d88b4e0ba095916b11fa49dc88"
 dependencies = [
  "base64 0.21.7",
  "bech32",
@@ -3185,7 +3216,7 @@ dependencies = [
 [[package]]
 name = "zcash_client_sqlite"
 version = "0.10.3"
-source = "git+https://github.com/zcash/librustzcash?rev=34cf6d286a201caf7dfee29fbee867d547afc486#34cf6d286a201caf7dfee29fbee867d547afc486"
+source = "git+https://github.com/zcash/librustzcash?rev=73d0c5b68b1910d88b4e0ba095916b11fa49dc88#73d0c5b68b1910d88b4e0ba095916b11fa49dc88"
 dependencies = [
  "bip32",
  "bs58",
@@ -3220,7 +3251,7 @@ dependencies = [
 [[package]]
 name = "zcash_encoding"
 version = "0.2.0"
-source = "git+https://github.com/zcash/librustzcash?rev=34cf6d286a201caf7dfee29fbee867d547afc486#34cf6d286a201caf7dfee29fbee867d547afc486"
+source = "git+https://github.com/zcash/librustzcash?rev=73d0c5b68b1910d88b4e0ba095916b11fa49dc88#73d0c5b68b1910d88b4e0ba095916b11fa49dc88"
 dependencies = [
  "byteorder",
  "nonempty",
@@ -3229,7 +3260,7 @@ dependencies = [
 [[package]]
 name = "zcash_keys"
 version = "0.2.0"
-source = "git+https://github.com/zcash/librustzcash?rev=34cf6d286a201caf7dfee29fbee867d547afc486#34cf6d286a201caf7dfee29fbee867d547afc486"
+source = "git+https://github.com/zcash/librustzcash?rev=73d0c5b68b1910d88b4e0ba095916b11fa49dc88#73d0c5b68b1910d88b4e0ba095916b11fa49dc88"
 dependencies = [
  "bech32",
  "bip32",
@@ -3270,7 +3301,7 @@ dependencies = [
 [[package]]
 name = "zcash_primitives"
 version = "0.15.1"
-source = "git+https://github.com/zcash/librustzcash?rev=34cf6d286a201caf7dfee29fbee867d547afc486#34cf6d286a201caf7dfee29fbee867d547afc486"
+source = "git+https://github.com/zcash/librustzcash?rev=73d0c5b68b1910d88b4e0ba095916b11fa49dc88#73d0c5b68b1910d88b4e0ba095916b11fa49dc88"
 dependencies = [
  "aes",
  "bip32",
@@ -3308,7 +3339,7 @@ dependencies = [
 [[package]]
 name = "zcash_proofs"
 version = "0.15.0"
-source = "git+https://github.com/zcash/librustzcash?rev=34cf6d286a201caf7dfee29fbee867d547afc486#34cf6d286a201caf7dfee29fbee867d547afc486"
+source = "git+https://github.com/zcash/librustzcash?rev=73d0c5b68b1910d88b4e0ba095916b11fa49dc88#73d0c5b68b1910d88b4e0ba095916b11fa49dc88"
 dependencies = [
  "bellman",
  "blake2b_simd",
@@ -3330,7 +3361,7 @@ dependencies = [
 [[package]]
 name = "zcash_protocol"
 version = "0.1.1"
-source = "git+https://github.com/zcash/librustzcash?rev=34cf6d286a201caf7dfee29fbee867d547afc486#34cf6d286a201caf7dfee29fbee867d547afc486"
+source = "git+https://github.com/zcash/librustzcash?rev=73d0c5b68b1910d88b4e0ba095916b11fa49dc88#73d0c5b68b1910d88b4e0ba095916b11fa49dc88"
 dependencies = [
  "document-features",
  "memuse",
@@ -3436,7 +3467,7 @@ dependencies = [
 [[package]]
 name = "zip321"
 version = "0.0.0"
-source = "git+https://github.com/zcash/librustzcash?rev=34cf6d286a201caf7dfee29fbee867d547afc486#34cf6d286a201caf7dfee29fbee867d547afc486"
+source = "git+https://github.com/zcash/librustzcash?rev=73d0c5b68b1910d88b4e0ba095916b11fa49dc88#73d0c5b68b1910d88b4e0ba095916b11fa49dc88"
 dependencies = [
  "base64 0.21.7",
  "nom",
diff --git a/Cargo.toml b/Cargo.toml
index c0ced40..fd1514e 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -11,7 +11,7 @@ anyhow = "1"
 bip0039 = { version = "0.12", features = ["std", "all-languages"] }
 futures-util = "0.3"
 gumdrop = "0.8"
-prost = "0.12"
+prost = "0.13"
 rayon = "1.7"
 rusqlite = { version = "0.29", features = ["time"] }
 orchard = { version = "0.8", default-features = false }
@@ -22,7 +22,7 @@ serde = "1.0"
 time = "0.2"
 tokio = { version = "1.21.0", features = ["fs", "macros", "rt-multi-thread", "signal"] }
 toml = "0.8"
-tonic = { version = "0.11", features = ["gzip", "tls-webpki-roots"] }
+tonic = { version = "0.12", features = ["gzip", "tls-webpki-roots"] }
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter", "fmt"] }
 zcash_address = "0.3.2"
@@ -55,13 +55,13 @@ tui = [
 ]
 
 [patch.crates-io]
-zcash_address = { git = "https://github.com/zcash/librustzcash", rev = "34cf6d286a201caf7dfee29fbee867d547afc486" }
-zip321 = { git = "https://github.com/zcash/librustzcash", rev = "34cf6d286a201caf7dfee29fbee867d547afc486" }
-zcash_keys = { git = "https://github.com/zcash/librustzcash", rev = "34cf6d286a201caf7dfee29fbee867d547afc486" }
-zcash_primitives = { git = "https://github.com/zcash/librustzcash", rev = "34cf6d286a201caf7dfee29fbee867d547afc486" }
-zcash_protocol = { git = "https://github.com/zcash/librustzcash", rev = "34cf6d286a201caf7dfee29fbee867d547afc486" }
-zcash_proofs = { git = "https://github.com/zcash/librustzcash", rev = "34cf6d286a201caf7dfee29fbee867d547afc486" }
-zcash_client_backend = { git = "https://github.com/zcash/librustzcash", rev = "34cf6d286a201caf7dfee29fbee867d547afc486" }
-zcash_client_sqlite = { git = "https://github.com/zcash/librustzcash", rev = "34cf6d286a201caf7dfee29fbee867d547afc486" }
+zcash_address = { git = "https://github.com/zcash/librustzcash", rev = "73d0c5b68b1910d88b4e0ba095916b11fa49dc88" }
+zip321 = { git = "https://github.com/zcash/librustzcash", rev = "73d0c5b68b1910d88b4e0ba095916b11fa49dc88" }
+zcash_keys = { git = "https://github.com/zcash/librustzcash", rev = "73d0c5b68b1910d88b4e0ba095916b11fa49dc88" }
+zcash_primitives = { git = "https://github.com/zcash/librustzcash", rev = "73d0c5b68b1910d88b4e0ba095916b11fa49dc88" }
+zcash_protocol = { git = "https://github.com/zcash/librustzcash", rev = "73d0c5b68b1910d88b4e0ba095916b11fa49dc88" }
+zcash_proofs = { git = "https://github.com/zcash/librustzcash", rev = "73d0c5b68b1910d88b4e0ba095916b11fa49dc88" }
+zcash_client_backend = { git = "https://github.com/zcash/librustzcash", rev = "73d0c5b68b1910d88b4e0ba095916b11fa49dc88" }
+zcash_client_sqlite = { git = "https://github.com/zcash/librustzcash", rev = "73d0c5b68b1910d88b4e0ba095916b11fa49dc88" }
 incrementalmerkletree = { git = "https://github.com/zcash/incrementalmerkletree", rev = "337f59179eda51261e9ddfc6b18e8fb84ea277c9" }
 shardtree = { git = "https://github.com/zcash/incrementalmerkletree", rev = "337f59179eda51261e9ddfc6b18e8fb84ea277c9" }

[str4d]

These are the specific updates that I think might be contributing:

@@ -1911,11 +1943,12 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.22.4"
+version = "0.23.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bf4ef73721ac7bcd79b2b315da7779d8fc09718c6b3d2d1b2d94850eb8c18432"
+checksum = "53e56521f047352df0db9a3c5aafc573eeb8909ab80f9d4cba201d8d73539009"
 dependencies = [
  "log",
+ "once_cell",
  "ring",
  "rustls-pki-types",
  "rustls-webpki",
@@ -2521,9 +2550,9 @@ dependencies = [
 
 [[package]]
 name = "tokio-rustls"
-version = "0.25.0"
+version = "0.26.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f"
+checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4"
 dependencies = [
  "rustls",
  "rustls-pki-types",

Note in particular that webpki-roots is not upgraded. The fact that we can connect to zec.rocks without the upgrade means that ISRV Root X1 must be in webpki-roots; the problem must be in changes to certificate path building.

[str4d]

Code changes for these updates:

• rustls/rustls@v/0.22.4...v/0.23.0
• rustls/tokio-rustls@v/0.25.0...v/0.26.0

[str4d]

Aha, the issue is this change in rustls 0.23.0: hyperium/tonic#1731

The feature flags enable webpki-roots to be used, but they are no longer used unless an explicit call to ClientTlsConfig::with_webpki_roots is added.

This breaking change to the API was not noted in the changelog at all until two weeks ago: hyperium/tonic#1781