Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: start using rustls instead of openssl #255

Closed
wants to merge 4 commits into from

Conversation

Angelmmiguel
Copy link
Contributor

@Angelmmiguel Angelmmiguel commented Nov 24, 2023

Before, wws was using OpenSSL to establish external connections using the reqwest crate. Initially, we wanted to use rustls, but the compilation was failing for Windows arm64. After closing all the tasks described in #137, we can now switch to rustls.

In the past, we had multiple issues and CVEs due to the OpenSSL dependency. In addition to that, we had to compile it from scratch on every build so it was taking extra time. Also, we had to include ca-certificates in the containers images as we are using scratch. From now on, we will rely on rustls related certs (webpki).

It closes #137

@Angelmmiguel Angelmmiguel added the 🚀 enhancement New feature or request label Nov 24, 2023
@Angelmmiguel Angelmmiguel added this to the v1.8.0 milestone Nov 24, 2023
@Angelmmiguel Angelmmiguel self-assigned this Nov 24, 2023
Copy link
Contributor

@ereslibre ereslibre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Super! Thanks @Angelmmiguel! Just a couple of comments :), LGTM :)

@@ -34,7 +34,7 @@ wws-server = { workspace = true }
wws-project = { workspace = true }

[dev-dependencies]
reqwest = { version = "0.11", features = ["blocking"] }
reqwest = { version = "0.11", features = ["rustls", "blocking"] }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
reqwest = { version = "0.11", features = ["rustls", "blocking"] }
reqwest = { version = "0.11", features = ["rustls-tls", "blocking"] }

As per https://github.com/seanmonstar/reqwest/blob/master/Cargo.toml#L41

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might want to use rustls-tls-webpki-roots as well, so that we can provide a static binary that contains the root certificates bundled in the binary itself, without the need for the host system running wws to have ca-certificates or similar installed.

This has its problems of course, as for example, root certificate revocation, but I think it should be fine for now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! Unfortunately, I'm going to close this PR due to #256. We still need to find an alternative that works for git2-rs :/

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ouch, right.

@Angelmmiguel Angelmmiguel removed this from the v1.8.0 milestone Nov 24, 2023
@Angelmmiguel
Copy link
Contributor Author

Closing for now as this feature is blocked by #256

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Switch to rustls to avoid compiling OpenSSL
3 participants