Comments (15)
Yes -- rustls should support P521 since https://github.com/rustls/rustls/releases/tag/v%2F0.22.2 if we switch to aws-lc-rs.
from rustup.
@djc I'll try to find the reason for the p521 curve, but I'm pretty sure the choice is quite deliberate. WARP is written in Rust, so the engineers developing it feel themselves the pain of ring
being incompatible with it. The ring PR is by a Cloudflare engineer.
from rustup.
@kornelski I think we'll be able to use aws-lc-rs but would still be interested in hearing the reasons that it's used!
from rustup.
@rami3l reqwest allows configuring the ClientBuilder with a pre-built ClientConfig (of the matching Rustls release), so I think we can build a rustls 0.22 ClientConfig and configure reqwest to use this.
@djc That's the way to do manual resolution at runtime right? Shouldn't there be a way to simply remove
ring
if we're not using it?
Unfortunately it doesn't look like that exists in reqwest right now. Let's see if I can move that forward.
from rustup.
@kornelski but in terms of impact: this specifically impacts Cloudflare's WARP deployment, right, not the default deployment one would get when setting up WARP for their organization?
(I revised seanmonstar/reqwest#2225 yesterday to try to make progress on this.)
from rustup.
It impacts more than just internal Cloudflare deployment. Customers have an option to upload their own CA cert (which can use any signature algorithm), but if they don't, the default Cloudflare cert is used. I don't have data on how many deployments use the incompatible cert.
from rustup.
@djc Can we use aws-lc
instead of ring
for rustls
?
aws-lc
seems to have p521 support already; OTOH comparing aws-lc
's platform support and that of ring
I can see that the former lacks mips*
, but since we don't do mips*
anymore (dfd71c0) this shouldn't be a problem...
I'm still not very familiar to the subject so please feel free to correct me if I'm wrong.
from rustup.
@djc (A newbie question:) I tried adding
[dependencies]
rustls = { version = "0.22", optional = true, default-features = false, features = ["logging", "aws_lc_rs", "tls12"] }
... to our Cargo.toml
but looks like ring
is still there in the lockfile. Actually, both aws-lc-rs
and ring
are in the dependencies now, which may cause problems as described in seanmonstar/reqwest#2225 (comment).
Am I doing anything wrong, or we need to wait for something like seanmonstar/reqwest#2136?
from rustup.
@rami3l reqwest allows configuring the ClientBuilder with a pre-built ClientConfig (of the matching Rustls release), so I think we can build a rustls 0.22 ClientConfig and configure reqwest to use this.
from rustup.
@rami3l reqwest allows configuring the ClientBuilder with a pre-built ClientConfig (of the matching Rustls release), so I think we can build a rustls 0.22 ClientConfig and configure reqwest to use this.
@djc That's the way to do manual resolution at runtime right? Shouldn't there be a way to simply remove ring
if we're not using it?
from rustup.
In WARP, the p521 curve has been chosen as the best algorithm with FIPS compliance.
The p521 signature is necessary "only" to validate the root CA certificate used by WARP MITM. At the same time this is the hardest thing to change in this setup, so it's very unlikely to be changed anytime soon.
from rustup.
Related Issues (20)
- rustup fails to open non-existing windows registry path HOT 3
- `rustup component (add|remove)` should not rely on hardcoded target triples HOT 9
- Decide on a better strategy for release notes/changelogs HOT 3
- Simplify download and/or TLS backends HOT 1
- Rustup fails with os error 10054 on a new Windows 11 machine HOT 13
- `sh.rustup.rs` should only resolve to ipv4 HOT 7
- rust-analyzer is not being automatically proxied after installing HOT 4
- Rust installing script incompatible with older macOS HOT 1
- rustup should use the configured profile as fallback when the key is not present in `rust-toolchain.toml` HOT 5
- CfT: Test out Rustup's `reqwest` backend with `rustls` HOT 5
- error: toolchain 'stable-x86_64-pc-windows-msvc' is not installable with rustup 1.27.0 on wine HOT 4
- Failures while downloading https://static.rust-lang.org/rustup/dist/x86_64-unknown-linux-gnu/rustup-init HOT 1
- `rustup update self` should suggest `rustup self update` HOT 5
- Windows: Explorer 'Quick Access' polluted with deleted folders inside `.rustup`
- New env `RUSTUP_AUTO_SELF_UPDATE` to configure `rustup self update` HOT 12
- (🐞) rustup didn't install Visual Studio HOT 7
- Disable Rustup's self update by default if the `CI` environment variable is detected HOT 3
- Effects of `RUSTUP_WINDOWS_PATH_ADD_BIN` change HOT 14
- #3827 has broken the ETA format when downloading/installing components HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rustup.