surf
surf copied to clipboard
http-rs
Rustls optional dependency
Rustls is an SSL/TLS library, written completely in Rust. It seems to be more safe and fast than OpenSSL (which is used by native-tls on Linux).
Surf uses native-tls if I'm not mistaken, which uses a native implementation on each supported platform. Would Rustls be more preferred to use in Surf?
- TLS/SSL is a critical security module. OpenSSL is used by everyone, Rustls is much less popular and might contain some serious bugs that aren't discovered yet.
- OpenSSL, obviously, will have support from the large community in the future, Rustls might not.
I'd say it would still make sense to have it as an optional feature so people can choose.
I agree, rustls as an optional SSL/TLS behind a feature flag library is supported by a number of other libraries, including reqwest and actix-web. So it would be nice to have the same option here
I'm going to be slightly controversial and say that rustls should be opt out. I'm all for a bleeding edge library like Surf going for pure Rust by default.
But yeah, it should at the very least be an option
This depends on which surf backend is in use. Ideally we'd have configuration options for Async-h1 which is where this would sit, along with a cargo feature for it specifying the tls backend.
I am using surf and tide at the moment and would love to be able to target musl for a slim "FROM scratch" image (been working at this most of today). I see this is an old issue and rustls has had some impressive recent benchmarks. @yoshuawuyts , any idea if this is on a roadmap or if it's tabled?
@imuni4fun thanks for pointing that out; in terms of roadmap that would be a question for @Fishrock123 to answer who's recently taken lead of the surf part of http-rs.
What I can tell is that we've definitely discussed this in the past, most regularly when discussing https://github.com/http-rs/surf/issues/217 (async-h1 as the default surf backend).
