Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update rustls, tokio-rustls, and hyper-rustls #849

Merged
merged 10 commits into from
Jan 12, 2024
Merged

update rustls, tokio-rustls, and hyper-rustls #849

merged 10 commits into from
Jan 12, 2024

Conversation

ahl
Copy link
Collaborator

@ahl ahl commented Dec 13, 2023
edited
Loading

Closes #832

@ahl ahl requested a review from davepacheco December 13, 2023 08:33
@ahl
Copy link
Collaborator Author

ahl commented Dec 29, 2023

See: rustls/hyper-rustls#247

@ahl ahl marked this pull request as ready for review January 5, 2024 00:40
@ahl ahl changed the title WIP update rustls, tokio-rustls, and hyper-rustls update rustls, tokio-rustls, and hyper-rustls Jan 5, 2024
davepacheco
davepacheco reviewed Jan 10, 2024
View reviewed changes
Copy link
Collaborator

@davepacheco davepacheco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks so much for doing this! It looks like it was probably annoying to do. I found the release notes extremely helpful for reviewing this -- made me realize how much of this was mechanical.

As @sunshowers mentioned in #832, this is a breaking change for consumers that are providing a rustls::ServerConfig directly. We should add a CHANGELOG entry saying so. I think it's fine to just say we updated rustls from X to Y and if you're providing ServerConfig directly then you need to apply any corresponding changes.

Do we want to make sure Omicron can be updated smoothly to this before we land it? (I'm a little less worried about other stuff because I don't expect anybody else is using rustls::ServerConfig.)

dropshot/tests/test_tls.rs Outdated
Comment on lines 59 to 81
fn verify_tls12_signature(
&self,
_message: &[u8],
_cert: &rustls::pki_types::CertificateDer<'_>,
_dss: &rustls::DigitallySignedStruct,
) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error>
{
Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
}

fn verify_tls13_signature(
&self,
_message: &[u8],
_cert: &rustls::pki_types::CertificateDer<'_>,
_dss: &rustls::DigitallySignedStruct,
) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error>
{
Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
}

fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
// Default algorithm from rcgen
vec![rustls::SignatureScheme::ECDSA_NISTP256_SHA256]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the deal with these implementations?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't 100% sure on this, but according to https://docs.rs/rustls/latest/rustls/client/danger/trait.ServerCertVerifier.html#tymethod.verify_tls12_signature

cert has already been validated by ServerCertVerifier::verify_server_cert.

So it seemed like waving the signature through preserved the existing behavior. I'm happy to add a comment to that effect; also happy to discuss if this doesn't seem like the right policy.

@ahl
Copy link
Collaborator Author

ahl commented Jan 10, 2024

As @sunshowers mentioned in #832, this is a breaking change for consumers that are providing a rustls::ServerConfig directly. We should add a CHANGELOG entry saying so. I think it's fine to just say we updated rustls from X to Y and if you're providing ServerConfig directly then you need to apply any corresponding changes.

Will do. Do we want to potentially abstract away that external dependency... or not worth it at the moment?

Do we want to make sure Omicron can be updated smoothly to this before we land it? (I'm a little less worried about other stuff because I don't expect anybody else is using rustls::ServerConfig.)

Yes; I'll give that a shot.

@davepacheco
Copy link
Collaborator

As @sunshowers mentioned in #832, this is a breaking change for consumers that are providing a rustls::ServerConfig directly. We should add a CHANGELOG entry saying so. I think it's fine to just say we updated rustls from X to Y and if you're providing ServerConfig directly then you need to apply any corresponding changes.

Will do. Do we want to potentially abstract away that external dependency... or not worth it at the moment?

No. That's what we did before. What we built was not general enough and we spent a lot of effort to make things work with our abstraction when rustls provided (via ServerConfig) a much simpler and more robust approach. We could of course try again with a more general abstraction but it doesn't seem worth it to me yet.

@sunshowers
Copy link
Contributor

sunshowers commented Jan 10, 2024
edited
Loading

Wonder if we can petition rustls to stabilize just their types in a separate crate at some point. There's no difference between https://docs.rs/rustls/0.21.10/rustls/server/struct.ServerConfig.html and https://docs.rs/rustls/0.22.2/rustls/server/struct.ServerConfig.html as far as I can tell.

@ahl ahl mentioned this pull request Jan 10, 2024
Merged
@ahl ahl merged commit 59a86cf into main Jan 12, 2024
10 checks passed
@ahl ahl deleted the rustls-0.22 branch January 12, 2024 03:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davepacheco davepacheco davepacheco left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update to rustls 0.22
3 participants
@ahl @davepacheco @sunshowers