Add support for rustls #421
Comments
|
I didn't go any further with the implementation linked above because one of the servers I wanted to connect to had a TLS certificate with a CN that wasn't a valid DNS name, and the other used an IP address subjectAltName. Neither of these are supported by webpki, which rustls uses, and I didn't have time to dive into implementing support at the time. I might circle back around to it, but for now the linked code should probably be considered "untested but possibly a usable basis for a proper implementation". You might want to check what kind of certificate AWS RDS serves up in case it also has some detail that's not supported by webpki. |
|
rustls support would be really nice. I tried to connect aws lambda to heroku and found compilation too painful with open and native ssl. I ended up using diesel instead, which was overkill for my use case but had working ssl because of rustls. |
|
Out of curiosity, how did you find using diesel (which links to libpq in addition to OpenSSL) easier to build than using either openssl or native-tls (which uses openssl)? |
|
Looking back at the code, you're right -- I had mis-remembered. The original intent was to get a lambda function working. The function had to hit an api and then hit a database. I worked on the first part of the job first, which was getting reqwest working. To do that I finally found that I could skip openssl problems by using rustls . Sadly, I then found out that I had the same issue (ssl compilation issues) connecting to postgres. In the end I gave up on lambda and just used heroku because the c library stuff was too painful in both. (Even though it shouldn't have been too hard thanks to some work on compiling using docker and musl https://github.com/emk/rust-musl-builder ). So then the question is why I went with diesel instead of postgres. This was a few months ago and I forget things too quickly but I think the reason I went with diesel was actually because all the documentation I could find on connecting using ssl and rust-postgres was out of date. For example, the code presented here no longer works because it's for openssl 0.9: So even without trying to compile to lambda and even giving in and using openssl it's still a pain to figure out how to connect to Heroku. Connecting (not from lambda) was pretty simple with diesel. |
|
Hmm, also I'm now remembering that it wasn't just ssl that was a pain in getting postgres to work from lambda. |
|
Too bad. Rust is otherwise pretty much the perfect language for lambda. It almost eliminates cold start pauses and is memory efficient. |
|
May be useful: https://github.com/jbg/tokio-postgres-rustls |
|
Does anyone have any update on integrating rustls? Should this issue be re-opened? It seems the tokio-postgres-rustls project owned by @jbg has been marked an read-only. I am trying to use |
|
P.S. If there is a buy-in from @sfackler, I could try to port https://github.com/jbg/tokio-postgres-rustls code into this repo and offer it as an alternative feature |
|
Sure, adding it as a crate in this repo seems reasonable. |
|
Thanks @sfackler! Do you want to re-open this ticket then? Also, just for general sanity check (Bus factor) - is there another person on this repo who can admin it? Lastly, a question for @jbg -- would it be possible to get publishing rights to the crates.io? This way we can reuse the existing crate instead of creating a new one and cause user confusion. |
|
I only marked that repo read-only because I moved development to SourceHut; there's a link at the top of the GitHub page saying that it moved. Happy for it to come into this repo though, it's the logical home for it. @sfackler should I transfer the crate ownership to you? |
|
@jbg thanks for clarifying! I somehow missed the link in the about section (tbh, i almost never look at that place -- i usually go for the readme right away). I feel like it would be good for the |
|
Putting it in the README means either a confusing self-referential "Moved" message at the top at the new location, or a divergent history between the two locations. Neither is ideal. To be honest, the about section is the first place I look when a repo is archived because it's the most common location for the moved notice (for the reasons stated above). Anyway. This discussion has probably used more characters than have ever been typed into a tokio-postgres-rustls source file! It's a few lines of glue code, and needs an update once a year or less (when tokio-postgres or rustls get major updates). I'm happy for it to move into this repo, or I'm happy to keep maintaining it. Honestly the status quo seems fine to me, but if @sfackler is willing to take it on here then I think that's great. |
|
FWIW, I moved tokio-postgres-rustls back to GitHub, which should hopefully resolve any further confusion over whether it's maintained or not. |
|
That would be awesome if that library got moved into this repo! I would be happy to help if needed. |
I've successfully used this library to connect to an AWS RDS postgres instance, and it's fantastic and straightforward, thanks for providing such a nice library!
However I haven't managed to encrypt the connection with TLS yet. It seems like Rustls is the ideal candidate to be embedded in an AWS lambda and is already supported by rusoto, an aws api binding in Rust.
I have found one implementation (untested) by @jbg here: https://github.com/jbg/rust-postgres-rustls/blob/master/src/lib.rs
Being a beginner in Rust I find it hard to understand how to bring a TLS implementation such that the postgres connection is secure, and I think the documentation could benefit from being a bit more verbose on the topic.
Particularly, an example for each of the binding provided (openssl, schannel etc.) with their respective cargo.toml and crates used, with a corresponding snippet. Pretty much like the native-tls example that is provided, including the cargo.toml so that we can see without a doubt how to pass the feature flag.
Again thanks for the library and time spend developing it, I hope a rustls binding would be helpful for everyone.
The text was updated successfully, but these errors were encountered: