Update rustls to 0.23 #263
Conversation
Cargo.toml
Outdated
| @@ -18,17 +18,17 @@ log = { version = "0.4.4", optional = true } | |||
| pki-types = { package = "rustls-pki-types", version = "1" } | |||
| rustls-native-certs = { version = "0.7", optional = true } | |||
| rustls-platform-verifier = { version = "0.2", optional = true } | |||
There was a problem hiding this comment.
I think this version will also need updating to a not-yet-released 0.3 that includes rustls/rustls-platform-verifier#70
(I'm also surprised you can build/pass the test suite without any code changes 🤔 I would have expected changes would be needed for the process wide provider)
There was a problem hiding this comment.
Yep just figured that out when I tested with the platform verifier feature on. Bummer, will pause on that.
For provider, my understanding is this is (implicitly) relying on CryptoProvider::get_default_or_install_from_crate_features() for the examples/tests
There was a problem hiding this comment.
Yep just figured that out when I tested with the platform verifier feature on. Bummer, will pause on that.
Hopefully we'll get that verifier release out soon 🤞
If you wanted to get a head start you could add a cargo patch on this branch that points the rustls-platform-verifier dep to Ralith's branch. We can work through the other aspects of the update and then pause until that patch can be removed.
For provider, my understanding is this is (implicitly) relying on CryptoProvider::get_default_or_install_from_crate_features() for the examples/tests
I think some of the other unit tests (like the builder ones) are going to panic with a "no process-level CryptoProvider available -- call CryptoProvider::install_default() before this point" message unless adjusted to do something similar.
There was a problem hiding this comment.
Yep just figured that out when I tested with the platform verifier feature on. Bummer, will pause on that.
@howardjohn a compatible rustls-platform-verifier release is now available.
There was a problem hiding this comment.
Ok bumped it. I made a bunch of changes, not sure they all make sense:
- Default to aws-lc-rs to match the other libraries
- Tweak tests we run in CI. --all-features and --no-default-features do not make sense since they pick 2 or 0 providers; we want 1? This aligns with tokio-rustls
- Change the
with_native_rootsand similar to not requirering
LMK if this makes sense
There was a problem hiding this comment.
I started to look at this independently (sorry to duplicate effort!) and found it took a bit of care overall. I ended up with a branch that had a tidier commit history so I've opened a possible replacement PR: #266
There was a problem hiding this comment.
--no-default-features do not make sense since they pick 2 or 0 providers; we want 1?
Just to note here: I think we do want --no-default-features to work so that you can use the with_provider_xxx fns to bring your own CryptoProvider without needing to build w/ aws-lc-rs or ring.
There was a problem hiding this comment.
Just to note here: I think we do want --no-default-features to work so that you can use the with_provider_xxx fns to bring your own CryptProvider without needing to build w/ aws-lc-rs or ring.
Good point.
Your change LGTM so happy to go with that one. Thanks for the help!
There was a problem hiding this comment.
np! Thanks again for getting the ball rolling (and taking a look at my diff).
|
Closing in favour of #266 - thanks again! |
No description provided.