build(esplora): Add async-https-rustls flag to esplora client

[thunderbiscuit]

Description

The bdk_esplora crate currently doesn't expose the async-https-rustls flag offered by the rust-esplora-client crate and instead requires users to build using the default-tls flag on reqwest, which uses the platform-specific openssl library when compiling. This creates complications for cross-compilation, notably for our Android builds that currently support 3 architectures (arm64-v8a, armeabi-v7a, and x86_64). In order to solve this we can either compile the openssl libraries for each of the platforms we want to support, or use the rustls-tls version of reqwest. The second options is much easier and requires less fiddling with the internals of the Android native development kit and cross-compilation rabbit holes.

Before we merge this I want to make sure I understand the tradeoffs between the native-tls and the rustls-tls and confirm that there are not potential issues there, but from what I understand they should provide the same functionality/security, and because these are already available/exposed in reqwest and rust-esplora-client, I think this should be a fairly straightforward additional feature we offer.

Changelog notice

Added:
  - New async-https-rustls feature flag for the bdk_esplora crate, allowing to compile rust-esplora-client using rustls-tls instead of the default native-tls.

Checklists

All Submissions:

• I've signed all my commits
• I followed the contribution guidelines
• I ran cargo fmt and cargo clippy before committing

[realeinherjar]

ACK 7330c7f

[realeinherjar]

Also in my up-to-date CargoMSRV.lock in #1165 I had to use rustls versions 0.21.1 and 0.20.8.
I see that MSRV CI is failing.

[tnull]

Before we merge this I want to make sure I understand the tradeoffs between the native-tls and the rustls-tls and confirm that there are not potential issues there, but from what I understand they should provide the same functionality/security, and because these are already available/exposed in reqwest and rust-esplora-client, I think this should be a fairly straightforward additional feature we offer.

Really interested to hear about your findings. I think generally using the platform's TLS implementation (i.e., native-tls) would be preferable as it would allow users to receive critical security fixes via OS upgrades, instead of having to wait and eventually upgrade once rustls, esplora-client, and BDK ship new versions/builds. It would also be preferable from an MSRV perspective as shipping newer rustls versions might conflict with the MSRV requirements, potentially leaving the choice between not shipping fixes and breaking MSRV.

I however heard before that making native-tls work on Android isn't as trivial as rustls, however, I haven't looked too closely into it yet. So, again, would be really interested to hear about your learnings.

[nondiremanuel]

Lib Team Call comment: useful for android binding, possibly to be included in the next bdk_esplora release. Since it should be quick adding a flag, we added to alpha.3

[notmandatory]

ACK 6817ca9

[realeinherjar]

ACK 6817ca9

[danielabrozzoni]

I am not yet sure if it's better to use rustls-tls or native-tls, however, I think it's important to offer the choice to our users (since, as you said, we already offer it in rust-esplora-client).

I found this post on the rust forum: https://users.rust-lang.org/t/any-reasons-to-prefer-native-tls-over-rustls/37626/6. It seems that the only drawback is what @tnull said, about not getting security patches shipped with the OS, and possible MSRV issues. Someone mentioned that rustls wasn't audited, but that changed in Jun 2020.

ACK 6817ca9