Skip to content

meshtls-rustls: update to rustls 0.20 and tokio-rustls 0.23#1362

Merged
olix0r merged 16 commits intomainfrom
eliza/rustls-0.20-final
Nov 9, 2021
Merged

meshtls-rustls: update to rustls 0.20 and tokio-rustls 0.23#1362
olix0r merged 16 commits intomainfrom
eliza/rustls-0.20-final

Conversation

@hawkw
Copy link
Contributor

@hawkw hawkw commented Nov 6, 2021

This branch updates linkerd-meshtls-rustls to use rustls version
0.20, tokio-rustls 0.23, and webpki 0.22.

Hopefully, this change should be relatively straightforward --- I've
just updated the proxy's usage of these crates to use their new APIs.
Perhaps the most significant change in rustls is the new builder APIs
for ClientConfig and ServerConfig. Besides that, there were a couple
places where we had to restructure our code a bit to use the new API ---
we can no longer access the server cert verifier from the
ClientConfig, which we previously used in Store::validate for
validating the proxy's cert. Now, instead of accessing it from the
ClientConfig, we pass in an Arced server cert verifier into the
client config, and hold onto a clone of it for use in Store::validate.
This is effectively the same as what we were doing before, but required
some restructuring.

Also, since rustls no longer exposes webpki types in its public API,
this change reduces our webpki usage significantly.

@hawkw hawkw requested review from a team and olix0r November 6, 2021 18:21
hawkw
hawkw commented Nov 6, 2021
View reviewed changes
hawkw
hawkw commented Nov 6, 2021
View reviewed changes
linkerd/meshtls/rustls/src/client.rs
Comment on lines +95 to +96
// XXX(eliza): it's a bummer that the server name has to be cloned here...
.connect(self.server_id.clone(), io)
Copy link
Contributor Author

@hawkw hawkw Nov 6, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is not my favorite thing about the new rustls API, but i don't think we can fix it in the proxy...

@hawkw
Copy link
Contributor Author

hawkw commented Nov 6, 2021

cargo deny is failing because i forked webpki under my personal github account rather than under the linkerd org way back when i was initially experimenting with the webpki update...i think the reason for that was maybe because i wanted to patch the dep on the linkerd/webpki repo, or something?

@hawkw
Copy link
Contributor Author

hawkw commented Nov 8, 2021

cargo deny is failing because i forked webpki under my personal github account rather than under the linkerd org way back when i was initially experimenting with the webpki update...i think the reason for that was maybe because i wanted to patch the dep on the linkerd/webpki repo, or something?

...oh, I figured out why this is in my fork rather than linkerd's fork --- it's obvious in hindsight. turns out i don't have push permission for linkerd/webpki. @olix0r, mind adding me to the contributors for that repo so I can push the 0.22 branch?

@olix0r
Copy link
Member

olix0r commented Nov 8, 2021

@hawkw you should have access to linkerd/webpki now.

@olix0r olix0r merged commit 500dc3a into main Nov 9, 2021
@olix0r olix0r deleted the eliza/rustls-0.20-final branch November 9, 2021 00:17
hawkw
hawkw commented Nov 9, 2021
View reviewed changes
linkerd/meshtls/rustls/Cargo.toml
tokio-rustls = "0.23.1"
rustls = { version = "0.20", features = ["dangerous_configuration"] }
rustls-pemfile = "0.2"
tokio-rustls = { version = "0.23.1", features = ["dangerous_configuration"] }
Copy link
Contributor Author

@hawkw hawkw Nov 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, i hadn't realized tokio-rustls also exposed that!

olix0r added a commit to linkerd/linkerd2 that referenced this pull request Nov 9, 2021
@olix0r
proxy: v2.166.0
5da8394 
This release updates the proxy's `rustls`, `ring`, and `webpki` dependencies.

Additionally, the proxy can now be built to use a `boringssl` backend
instead of the default `rustls` backend, but this functionality is
disabled in default builds.

---

* meshtls: replace build script with `compile_error!` macro (linkerd/linkerd2-proxy#1357)
* ci: Split actions into several workflows (linkerd/linkerd2-proxy#1356)
* ci: Make job names uniform (linkerd/linkerd2-proxy#1358)
* meshtls: allow building without any TLS impls enabled (linkerd/linkerd2-proxy#1359)
* `app-core` should not enable `meshtls-rustls` (linkerd/linkerd2-proxy#1360)
* Restore rustls credential tests (linkerd/linkerd2-proxy#1363)
* build(deps): bump hex from 0.3 to 0.4 (linkerd/linkerd2-proxy#1364)
* ci: Split jobs into 'fast' and 'slow' workflows (linkerd/linkerd2-proxy#1365)
* meshtls: Move TLS e2e tests into the meshtls crate (linkerd/linkerd2-proxy#1366)
* rustls: Tidy std::task imports (linkerd/linkerd2-proxy#1367)
* build(deps): bump serde_json from 1.0.68 to 1.0.69 (linkerd/linkerd2-proxy#1368)
* build(deps): bump libc from 0.2.106 to 0.2.107 (linkerd/linkerd2-proxy#1369)
* meshtls: Add a `boring` backend (linkerd/linkerd2-proxy#1351)
* meshtls-rustls: update to `rustls` 0.20 and `tokio-rustls` 0.23 (linkerd/linkerd2-proxy#1362)
@olix0r olix0r mentioned this pull request Nov 9, 2021
Merged
olix0r added a commit to linkerd/linkerd2 that referenced this pull request Nov 9, 2021
@olix0r
proxy: v2.166.0 (#7244)
814d7ed 
This release updates the proxy's `rustls`, `ring`, and `webpki` dependencies.

Additionally, the proxy can now be built to use a `boringssl` backend
instead of the default `rustls` backend, but this functionality is
disabled in default builds.

---

* meshtls: replace build script with `compile_error!` macro (linkerd/linkerd2-proxy#1357)
* ci: Split actions into several workflows (linkerd/linkerd2-proxy#1356)
* ci: Make job names uniform (linkerd/linkerd2-proxy#1358)
* meshtls: allow building without any TLS impls enabled (linkerd/linkerd2-proxy#1359)
* `app-core` should not enable `meshtls-rustls` (linkerd/linkerd2-proxy#1360)
* Restore rustls credential tests (linkerd/linkerd2-proxy#1363)
* build(deps): bump hex from 0.3 to 0.4 (linkerd/linkerd2-proxy#1364)
* ci: Split jobs into 'fast' and 'slow' workflows (linkerd/linkerd2-proxy#1365)
* meshtls: Move TLS e2e tests into the meshtls crate (linkerd/linkerd2-proxy#1366)
* rustls: Tidy std::task imports (linkerd/linkerd2-proxy#1367)
* build(deps): bump serde_json from 1.0.68 to 1.0.69 (linkerd/linkerd2-proxy#1368)
* build(deps): bump libc from 0.2.106 to 0.2.107 (linkerd/linkerd2-proxy#1369)
* meshtls: Add a `boring` backend (linkerd/linkerd2-proxy#1351)
* meshtls-rustls: update to `rustls` 0.20 and `tokio-rustls` 0.23 (linkerd/linkerd2-proxy#1362)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olix0r olix0r olix0r approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hawkw @olix0r