git2-rs icon indicating copy to clipboard operation
git2-rs copied to clipboard

Published 20 hours ago verified publisher icon rust-lang

Rustls transport?

Open jsha opened this issue 5 years ago • 16 comments

Hi,

I've been looking at the security of the cargo / crates.io ecosystem, and I've noticed that it depends heavily on the security of TLS. The index of crates is downloaded over HTTPS from GitHub, and serves as the root of trust for subsequent crate downloads, because it contains the sha256 hashes of the crates.

Given that, I think it makes sense to use the strongest TLS implementation. Fortunately, rustls is a very high quality implementation, and is in Rust! Besides the memory safety benefits, it has a couple of other benefits: It does not implement older TLS versions (1.0 and 1.1), which have some vulnerabilities. Similarly it does not implement weaker ciphersuites. Also, it ships by default with webpki-certs, which is beneficial because it tends to be more up-to-date than the native root store on Debian-derived operating systems. When there's a CA that's been removed from the Mozilla root program (and others), but not removed yet from a root store, that's a big risk. In that situation there aren't (necessarily) any audits or controls happening any longer to ensure the CA is doing the right thing.

So I was thinking it would be useful to implement a git transport for HTTPS that uses Rustls. Probably the most straightforward way to do that would be to incorporate a Rust HTTP client. I see git2-rs already has a small HTTP client in git2-curl, but that it's considered less battle-tested (and has an issue with pulling a whole repository into memory), so isn't used as the default in cargo, but is only used when there are special HTTP setting, like proxies or custom root stores.

Is that something you think would be useful? Since my goal would be for cargo to (eventually) adopt this as the default instead of libgit's built-in HTTP transport, what quality and testing bar would it need to meet?

Thanks, Jacob

jsha avatar Sep 20 '20 18:09 jsha

Seems reasonable to me! There's the git2-curl crate which implements all HTTP crate fetches through the curl crate, so presumably there could be a git2-hyper crate (or something like that) which disables all of libgit2's internal networking and provides it via hyper+rustls?

alexcrichton avatar Sep 22 '20 17:09 alexcrichton

Being able to use a pure rust ssl makes using a lot of rust tools a lot easier where finding openssl or building ssl from source is tricky. Building cargo, cargo-audit, cargo-local-registry etc. It would make a big chunk of the ecosystem easier for people to use.

gilescope avatar Oct 19 '20 09:10 gilescope

Hi. I am wondering about how to integrate an async HTTP backend like hyper into git2. And it seems that spawning threads for hyper in the Read/Write trait is the most feasible solution which I can come up with. If there is other possible approach, please share it here. I am happy to do some experiments.

weihanglo avatar Mar 02 '21 11:03 weihanglo

@weihanglo We’re doing something like this. You can also pass around an executor.

kim avatar Mar 02 '21 12:03 kim

Hi, I just implemented a HTTP back-end and send a pull request.

henry40408 avatar Mar 21 '21 09:03 henry40408

Checking back in on this, is there still a desire to create a feature that will let users of git2 enable rustls instead of openssl?

brooksmtownsend avatar May 26 '22 19:05 brooksmtownsend

Yes, I'm still very interested in using git2-rs with a rustls backend. I wrote a couple of starts at this in https://github.com/rust-lang/git2-rs/pull/624 and https://github.com/rust-lang/git2-rs/pull/625. What I found was that what's needed is not just a TLS transport but also an HTTP implementation. I think it should be quite possible to dust off one of those PRs and proceed either with the ureq HTTP client or with a hyper HTTP client (or both).

jsha avatar May 26 '22 21:05 jsha

Just wanted to add a heavy interest in a rustls usage because openssl crate does not support libressl or modern openssl, while rustls does. Openssl-vendored kinda bloats the binaries so i would greatly appreciate a rustls version

Shifulor avatar Jun 05 '22 22:06 Shifulor

Two years on and at a different place and I find things still failing to install due to openssl dependencies. Pure rust might be more secure by now as well as work first time. It would help rust's roll out if we could ween ourselves off openssl.

gilescope avatar Sep 14 '22 15:09 gilescope

@gilescope @Shifulor have you tried @henry40408's git2-hyper crate? https://github.com/henry40408/git2-hyper

jsha avatar Sep 19 '22 22:09 jsha

I Did not, it seems like a nice project tho. Sadly it does not help in my specific case, because it would require remodeling a lot of code. Also his example puts the code into unsafe brackets, which honestly worries me (No idea if this crate maybe also does so don't pin me on that :cold_sweat: )

Shifulor avatar Oct 25 '22 11:10 Shifulor

I'm about to port crates-index and cargo-audit from git2 to gitoxide specifically because gitoxide supports rustls.

I'd be very happy to see this issue fixed, and save myself and the ecosystem the migration.

Shnatsel avatar Nov 03 '22 21:11 Shnatsel

I would like to express my interest as well. It would be absolutely great to have rustls support in git2!

orhun avatar Aug 18 '23 11:08 orhun

Would also like to see this for gitui

extrawurst avatar Feb 21 '24 15:02 extrawurst

also means you don't have to scrounge around to find exactly what the openssl dev package is named in your distro.

SIGSTACKFAULT avatar Mar 05 '24 22:03 SIGSTACKFAULT

How about depend on reqwest and its support of rustls? I think it has advantages over past PRs:

  • won't (re-?)implement HTTP client (#624 or #685)
  • will support HTTP/2 (unlike ureq, #625)

KisaragiEffective avatar Aug 12 '24 19:08 KisaragiEffective