isahc icon indicating copy to clipboard operation
isahc copied to clipboard

Published 20 hours ago verified publisher icon sagebind

Use rustls as an TLS engine

Open sagebind opened this issue 4 years ago • 9 comments

Offer rustls as an optional TLS engine. The default behavior will remain to use the system-native TLS engine, but users should be able to opt-in to using rustls just with crate features.

Remaining work:

  • [x] Land rustls TLS backend selection in upstream curl crate.
    • https://github.com/alexcrichton/curl-rust/issues/341
    • https://github.com/sagebind/isahc/pull/309
  • [x] Add support for CURLOPT_CAINFO_BLOB to rustls backend in curl. Support merged, waiting for curl 7.82.0 release on 2022-03-02.
    • https://github.com/curl/curl/pull/8255
  • [x] Add crate feature to add system trusted root certificates to requests automatically. This depends on CURLOPT_CAINFO_BLOB support since root certs aren't available as PEM files by default on all operating systems, so we can't simply use CURLOPT_CAINFO.
    • https://github.com/sagebind/isahc/pull/369
  • [ ] Stabilize feature as rustls-tls. This will be available in the upcoming 2.0 release.

sagebind avatar Jun 13 '20 17:06 sagebind

has there been any progress on this?

xy137 avatar Sep 25 '20 01:09 xy137

Nope, not yet, but there's an upstream issue to add support for it in the curl crate here: https://github.com/alexcrichton/curl-rust/issues/341

sagebind avatar Sep 25 '20 01:09 sagebind

Would really love this - this would make for a great performance improvement!

suptejas avatar Jan 06 '22 12:01 suptejas

The first step for this has at long last landed, as the upstream curl crate now has a rustls crate feature: https://github.com/alexcrichton/curl-rust/issues/341.

Our work on Isahc's end is not finished though, as rustls does not use the operating system's trusted root certificates by default which is going to be an expected feature for Isahc (though potientially behind a separate crate feature). I'll keep the list of remaining tasks up-to-date in the issue description from here on out for more granular tracking.

In the meantime, you can now enable the unstable-rustls-tls crate feature on Isahc if you pull from the latest Git commit to start using rustls, though I expect there to be some rough edges at the moment.

sagebind avatar Jan 08 '22 19:01 sagebind

Adding "breaking" label to this, since the way Isahc 1.0 is configured, the native TLS engine is always enabled with no way of opting-out. We need to offer rustls and the native TLS engines as separate features that can be enabled or disabled, which is a breaking change.

2.0 is likely going to be a soon(ish) release anyway (a few months away probably) so seems like a good time to make rustls support part of that effort.

sagebind avatar Mar 12 '22 05:03 sagebind

Hello, is there a tracking issue for the 2.0 release? I am looking forward to seeing this feature-flag stabilized. Thanks!

seanpianka avatar Nov 22 '22 03:11 seanpianka

There is no tracking issue, but there's a milestone here: https://github.com/sagebind/isahc/milestone/13. There is no due date for version 2.0, it'll be ready when it is ready.

sagebind avatar Nov 22 '22 03:11 sagebind

Any update on this?

lcmgh avatar Jun 22 '23 15:06 lcmgh

@lcmgh Nope, sorry. I am currently taking a break from open-source work while I deal with some time-consuming projects in my personal life. It may be autumn this year before I can resume working on this. But thanks for your interest! I still plan on pushing this to the finish line, despite delays.

sagebind avatar Jun 23 '23 03:06 sagebind