Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch from native-tls to rustls #89

Closed
Demi-Marie opened this issue Nov 6, 2019 · 12 comments · Fixed by #166
Closed

Switch from native-tls to rustls #89

Demi-Marie opened this issue Nov 6, 2019 · 12 comments · Fixed by #166
Labels
enhancement

Comments

@Demi-Marie
Copy link

No description provided.

@agalakhov
Copy link
Member

This has to be feature-gated.

@Demi-Marie
Copy link
Author

@agalakhov Feature gating it is fine.

@Demi-Marie
Copy link
Author

@agalakhov Do you plan to implement this or should I make a PR?

@agalakhov
Copy link
Member

I don't plan to work on that in nearest future, so if you have a readily made implementation, feel free to send pull request.

@juchiast
Copy link

juchiast commented Dec 4, 2019

rusttls has some limitation like not being able to connect to an IP address rustls/rustls#281, so I would suggest adding two features "native-tls" and "rusttls" for users to choose.

@Darkspirit
Copy link

That's not a blocker as it's common and wise to use TLS certificates with domain names for compatibility (dualstack IP) and security reasons (ACME DNS challenge), but yes, support for IPAddress SANs should/will be added: briansmith/webpki#54

@lucacasonato
Copy link

This has to be feature-gated.

So a full replacement of native-tls would not be accepted I assume?

@Dushistov
Copy link
Contributor

So a full replacement of native-tls would not be accepted I assume?

Please don't make full replacement. For Rust program that used on Linux system from maintainer point of view native-tls is better,
because of native-tls = openssl on Linux, and this shared library and can be easily updated if there are security issues,
while with rustls you need update program. The same for Windows and MacOS where TLS library part of system, and updated via system updates, so you don't need publish new version of program.

@Darkspirit
Copy link

Translated: Please keep the higher risk for security problems to make it easier to update them. :-/
This could apply to other dependencies, but not to the minimalistic, audited and state of the start Rustls:
rustls (Read the Cure53 audit), webpki certificate validation and webpki-roots are written in safe Rust, ring is mostly assembly files for fast AES/etc. from Google's fork of OpenSSL (BoringSSL is used across Google and Chrome). Rustls is used by Cloudflare and Google as well.

@najamelan
Copy link
Contributor

Good thing you don't have to choose and you don't even have to agree, because with features everyone can have it their way.

@babymotte
Copy link

I would also very much appreciate a way to opt out of native-tls, since it breaks compatibility with wasm.

@dnaka91 dnaka91 mentioned this issue Jan 2, 2021
Merged
@strohel
Copy link
Contributor

strohel commented Feb 8, 2021

Kudos go to @dnaka91 for submitting and perfecting a PR to implement this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for rustls as TLS backend dnaka91/tungstenite-rs
9 participants
@strohel @Dushistov @najamelan @agalakhov @babymotte @lucacasonato @Darkspirit @juchiast @Demi-Marie