zou icon indicating copy to clipboard operation
zou copied to clipboard

Published 20 hours ago verified publisher icon k0pernicus

hyper 0.11?

Open mssun opened this issue 8 years ago • 10 comments

Compared to 0.9, I guess hyper dropped openssl dependency and made it a pure rust library.

I wonder when snatch will move on to hyper 0.11 and give an option to decide whether to use openssl. OpenSSL can potentially introduce security issue.

This will give users an option to use pure Rust binary.

Same issue in snatch: https://github.com/derniercri/snatch/issues/76

mssun avatar Sep 19 '17 05:09 mssun

I began to update hyper in Zou, and it's more complicated than I thought (the use of Tokio makes the API more complex actually...). It may take a while - sorry for the delay.

k0pernicus avatar Sep 26 '17 18:09 k0pernicus

Thanks for the update @k0pernicus . Take your time. I'm still looking forward to see a better Zou.

BTW, the TLS version of hyper is provided by:

  • https://github.com/hyperium/hyper-tls

mssun avatar Sep 26 '17 18:09 mssun

Yep, I am using it ;-) No troubles with the HttpsConnector, just the Futures API that is... pretty complex to use

k0pernicus avatar Sep 26 '17 18:09 k0pernicus

So, after a night hacking with the 0.11 version of hyper, I think it's not relevant to migrate to this version currently. The 0.11 version deals with tokio in order to perform well async I/O - no blocking I/O in this version. We should see a difference in retrieving data, but I really think that it may be annoying to update now Zou as an async tool.

But, I will update the 0.9 version of hyper to the 0.10 one, which can resolve the version incompatibilities of OpenSSL ;-)

k0pernicus avatar Sep 27 '17 09:09 k0pernicus

This is the current state of the hyper-v0.10 branch:

  • upgrading hyper v0.9 -> v0.10
  • HTTP client (default)
  • HTTPS client using hyper-openssl if the user is asking for an SSL connection.

The code is ugly, but the current process works, so I am updating the code. I will work also on user-friendly Exception errors.

screen shot 2017-09-27 at 14 00 09

k0pernicus avatar Sep 27 '17 12:09 k0pernicus

Update: the branch has been merged with devel ;-)

k0pernicus avatar Sep 27 '17 13:09 k0pernicus

Thanks for the update.

I'm studying crypto/TLS library in Rust recently. I found that hyper-rustls could be a better option. The main reason is that it is based on rustls for TLS and ring for crypto. By using this crypto library chain, we can forget openssl. Using ring as the core crypto library has several advantages:

  1. a (towards-pure) Rust library makes it more secure and safe, although it still has C code (from BoringSSL), they are working towards the safer direction IMO.
  2. no longer need openssl library as a dependency

Refer:

  • https://github.com/ctz/rustls
  • https://github.com/briansmith/ring
  • https://github.com/ctz/hyper-rustls

mssun avatar Sep 28 '17 20:09 mssun

Ok - I will explore the issue as soon as the code has been updated :-) Thanks for those awesome proposal!

k0pernicus avatar Sep 29 '17 06:09 k0pernicus

HTTPS client using hyper-openssl if the user is asking for an SSL connection.

Another question is about using hyper-openssl, I guess hyper-tls is the official supported TLS (openssl) based hyper. Is there any specific reason choosing hyper-openssl?

Basically, there are two choices: hyper-tls vs hyper-rustls, i.e., openssl vs ring. I personally prefer to ring because of previous reasons.

mssun avatar Sep 29 '17 07:09 mssun

You are right, hyper-tls is the official crate to support TLS (openssl) using hyper. But, hyper-tls is supported by hyper only since the 0.11 version - not the 0.10 one.

To support TLS for 0.10, the must efficient (efficient = quick and reliable) way is to use hyper-openssl for now. As soon as I updated hyper, I will update too the crate to support TLS ;-)

k0pernicus avatar Sep 29 '17 15:09 k0pernicus