rustls support #293
Comments
|
Back in the days when we implemented TLS, rustls was originally picked as the TLS library, but we later decided to temporarily go with openssl for a few reasons:
We'd very much like to migrate back to rustls, but first we need to verify that the project got mature enough to fit our needs. Also - contributions are welcome :) |
|
I would suggest waiting until rustls v0.20, which is currently in beta. They introduced a few breaking changes but it's supposed to stabilize after this (is at least their claim). |
|
update: judging from https://docs.rs/rustls/0.20.0/rustls/client/enum.ServerName.html , 0.2.0 still does not allow using certificates generated for specific IP addresses, so rustls integration will still be on hold |
|
I believe that the issue is ultimately due to the webpki dependency. The relevant issue is here: According to this issue Brian Smith intends to start working on that "relatively soon". |
|
I wonder if it would be acceptable to put rustls behind a feature flag? That way if someone needed to perform an IP connection they could do so with openssl, but otherwise they could enable rustls? |
|
Certainly, contributions guarded with an optional flag are welcome. Note however that the main issue is that Scylla and Cassandra generally operate on IP addresses, not domain names, when recognizing nodes, so their certificates are usually also generated for given address. So while we could have optional rustls support for setting up proper tls context with given certificate, it might so happen that the IP-based certificate (that the database node has) is not supported by the library, and thus can't be verified. |
|
Seems like as of January 17, Rustls now supports certs for IP addresses. |
No description provided.
The text was updated successfully, but these errors were encountered: