lychee Replace OpenSSL with rustls

Eventually closes #1721

This is a draft not yet quite ready to be merged.

Nov 19 '25 19:11 thomas-zahner

@mre If we see that this PR works in CI and on different machines for users, do you agree that it makes sense to fully get rid of the OpenSSL approach? Or do you think we should keep it and only change the default?

Nov 20 '25 08:11 thomas-zahner

TBH, for now I would keep it and change the default. At least for one version. Then we can tell people to switch back to OpenSSL if there are any problems. We could mention that in the release-notes. On the other side, I'm flexible here. That's just what I would do, but we can also go all-in on rustls. 😆 Worst case, we release a patch version with the OpenSSL option available again. So whatever you believe is the best tradeoff between simplicity and user experience.

Nov 24 '25 14:11 mre

This unfortunately is blocked by https://github.com/reacherhq/check-if-email-exists/issues/1625. The problem is that the latest version of check-if-email-exists on crates.io uses openSSL without an option to use ruslts.

Nov 26 '25 16:11 thomas-zahner

I just found that the check-if-email-exists is dual licensed under AGPL-3 or Reacher Commercial license.

But it's enabled by default for lychee CLI: https://github.com/lycheeverse/lychee/blob/caf63cc9e583844a93d636a4f9d7f63d93f65151/lychee-bin/Cargo.toml#L96

As far as I know, it's not compatible with the Apache2 + MIT license.

Maybe we need to open another issue to discuss this. What do you think? @mre

Nov 27 '25 11:11 kemingy

@kemingy Thanks for pointing it out. This is known since 2022 see https://github.com/lycheeverse/lychee/issues/594. Unfortunately, we never really prioritised the issue. But you are right that this is quite problematic and now as it even blocks the transition to rustls I will try to resolve it as soon as possible.

Nov 27 '25 12:11 thomas-zahner