Use rustls for Swift to support TLS 1.3 #3113
Conversation
Currently Element X iOS does not support TLS 1.3, this PR shall fix that. Explanation: There is an official recommendation from Apple, that boils down to the following if you use cross-platform code with sockets (as we do with the rust sdk): > To use TLS in that case [BSD Sockets], add your own TLS implementation. > Don’t use Secure Transport for your TLS implementation. It’s been deprecated since 2019 > and doesn’t support TLS 1.3. If you have existing code that uses Secure Transport, make > a plan to migrate off it. Modern TLS implementations including TLS 1.3 on macOS are only available as a builtin via the Apple-specific URLSession / Network framework APIs, so APIs where you feed in an URL and get the response back. They are not available in combination with a generic sockets-based cross-platform code. With that in mind, there is currently no hope that rust-native-tls would support TLS 1.3 in the forseeable future as there is simply no native TLS implementation in current macOS/iOS that could be used by rust-native-tls. See https://developer.apple.com/documentation/technotes/tn3151-choosing-the-right-networking-api#TLS-best-practices Fixes: element-hq/element-x-ios#786 Signed-off-by: Christoph Settgast <[email protected]>
csett86
force-pushed
the
swift-rustls-tls13
branch
from
26ee6b6 to
f49b97c
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3113 +/- ##
==========================================
- Coverage 83.75% 83.73% -0.03%
==========================================
Files 229 229
Lines 23654 23655 +1
==========================================
- Hits 19812 19807 -5
- Misses 3842 3848 +6 ☔ View full report in Codecov by Sentry. |
|
Oh no, since some packages use Do you mind me pushing a few changes to your PR to attempt to fix this, or do you want to revert the PR to its previous state? (in that case I'd create a follow-up PR) |
|
Feel free to push a few changes to fix it forward, please go ahead |
jplatte
force-pushed
the
swift-rustls-tls13
branch
from
b0eb7be to
202ee85
Compare
|
I have pushed a change that I think works, but I realized that the change I suggested also breaks local development setups if they don't have some configuration like what I added to IMO the right fix for that is to make |
… but make rustls the default, which is much more useful for cross-compilation.
|
Thanks for helping @jplatte as this is getting out of my comfort zone quickly. Regarding both backends: From what I read in https://docs.rs/reqwest/latest/reqwest/tls/index.html and seanmonstar/reqwest#378, the features are not mutually exclusive, but if they are both enabled, native-tls is chosen. So my guess is that this exclusivity is coded here so that you can be sure which one of the tls engines it is and can influence it when using the SDK. But thats just my guess at the moment... It was also introduced as mutually exclusive directly from the beginning: #89 |
… primarily for development.
jplatte
force-pushed
the
swift-rustls-tls13
branch
from
202ee85 to
75e8fd8
Compare
|
Looks like everything works with the features no longer being mutually exclusive. But I will wait with merging until there's some feedback from @Hywan or somebody else from the team. I also had some extra local changes to use |
|
Please see element-hq/element-x-ios#786 (comment) :) |
Alright now that we have support for user-installed certs in EXA, can we reconsider this PR? Do some certs get ignored on iOS as well if we use |
What's not real about it now? 😅 |
As far as I could tell you can't enable it on |
@pixlwave any update on this? I believe you wanted to check if everything continues to work with this patch enabled. |
Ah sorry I replied in the room and not on the issue 🤦♂️ Trying this PR did indeed reveal that custom CAs added to the system don't worth with rustls like they do with native-tls. I was unable to find a way on iOS to get all of the user installed certificates from the keychain like we do for Android. |
|
Alright, @csett86, sorry but we can't enable rustls until we're able to use the Closing this for now. |
|
For future reference, this is the issue tracking adding the platform verifier to reqwest: seanmonstar/reqwest#2159 |
|
FYI, you can pass a preconfigured |
|
Yeah I noticed that sometime after my comment, though it seems to be more work than what we can afford for now. Thanks for letting us know anyways. |
Currently Element X iOS does not support TLS 1.3, this PR shall fix that.
Explanation:
There is an official recommendation from Apple, that boils down to the following if you use cross-platform code with sockets (as we do with the rust sdk):
Modern TLS implementations including TLS 1.3 on macOS are only available as a builtin via the Apple-specific URLSession / Network framework APIs, so APIs where you feed in an URL and get the response back. They are not available in combination with a generic sockets-based cross-platform code.
With that in mind, there is currently no hope that rust-native-tls would support TLS 1.3 in the forseeable future as there is simply no native TLS implementation in current macOS/iOS that could be used by rust-native-tls.
See https://developer.apple.com/documentation/technotes/tn3151-choosing-the-right-networking-api#TLS-best-practices
Fixes: element-hq/element-x-ios#786
Signed-off-by: Christoph Settgast [email protected]