diff --git a/.github/workflows/sqlx.yml b/.github/workflows/sqlx.yml
index e2967ec9ef..04b0ae41e6 100644
--- a/.github/workflows/sqlx.yml
+++ b/.github/workflows/sqlx.yml
@@ -66,7 +66,7 @@ jobs:
strategy:
matrix:
runtime: [async-std, tokio]
- tls: [native-tls, rustls, none]
+ tls: [native-tls, rustls-aws-lc-rs, rustls-ring, none]
steps:
- uses: actions/checkout@v4
@@ -147,7 +147,7 @@ jobs:
matrix:
postgres: [15, 11]
runtime: [async-std, tokio]
- tls: [native-tls, rustls, none]
+ tls: [native-tls, rustls-aws-lc-rs, rustls-ring, none]
needs: check
steps:
- uses: actions/checkout@v4
@@ -247,7 +247,7 @@ jobs:
matrix:
mysql: [8]
runtime: [async-std, tokio]
- tls: [native-tls, rustls, none]
+ tls: [native-tls, rustls-aws-lc-rs, rustls-ring, none]
needs: check
steps:
- uses: actions/checkout@v4
@@ -335,7 +335,7 @@ jobs:
matrix:
mariadb: [verylatest, 11_4, 10_11, 10_4]
runtime: [async-std, tokio]
- tls: [native-tls, rustls, none]
+ tls: [native-tls, rustls-aws-lc-rs, rustls-ring, none]
needs: check
steps:
- uses: actions/checkout@v4
diff --git a/Cargo.lock b/Cargo.lock
index 9a0f789308..3f711abedd 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -349,6 +349,33 @@ version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
+[[package]]
+name = "aws-lc-rs"
+version = "1.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8a47f2fb521b70c11ce7369a6c5fa4bd6af7e5d62ec06303875bafe7c6ba245"
+dependencies = [
+ "aws-lc-sys",
+ "mirai-annotations",
+ "paste",
+ "zeroize",
+]
+
+[[package]]
+name = "aws-lc-sys"
+version = "0.19.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2927c7af777b460b7ccd95f8b67acd7b4c04ec8896bf0c8e80ba30523cffc057"
+dependencies = [
+ "bindgen",
+ "cc",
+ "cmake",
+ "dunce",
+ "fs_extra",
+ "libc",
+ "paste",
+]
+
[[package]]
name = "axum"
version = "0.5.17"
@@ -444,12 +471,6 @@ version = "0.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
-[[package]]
-name = "base64"
-version = "0.21.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567"
-
[[package]]
name = "base64"
version = "0.22.0"
@@ -484,6 +505,29 @@ dependencies = [
"num-traits",
]
+[[package]]
+name = "bindgen"
+version = "0.69.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a00dc851838a2120612785d195287475a3ac45514741da670b735818822129a0"
+dependencies = [
+ "bitflags 2.4.2",
+ "cexpr",
+ "clang-sys",
+ "itertools 0.10.5",
+ "lazy_static",
+ "lazycell",
+ "log",
+ "prettyplease",
+ "proc-macro2",
+ "quote",
+ "regex",
+ "rustc-hash",
+ "shlex",
+ "syn 2.0.52",
+ "which",
+]
+
[[package]]
name = "bit-vec"
version = "0.6.3"
@@ -684,6 +728,19 @@ name = "cc"
version = "1.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2aba8f4e9906c7ce3c73463f62a7f0c65183ada1a2d47e397cc8810827f9694f"
+dependencies = [
+ "jobserver",
+ "libc",
+]
+
+[[package]]
+name = "cexpr"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766"
+dependencies = [
+ "nom",
+]
[[package]]
name = "cfg-if"
@@ -737,6 +794,17 @@ dependencies = [
"half",
]
+[[package]]
+name = "clang-sys"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4"
+dependencies = [
+ "glob",
+ "libc",
+ "libloading",
+]
+
[[package]]
name = "clap"
version = "4.5.2"
@@ -797,6 +865,15 @@ dependencies = [
"winapi",
]
+[[package]]
+name = "cmake"
+version = "0.1.50"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a31c789563b815f77f4250caee12365734369f942439b7defd71e18a48197130"
+dependencies = [
+ "cc",
+]
+
[[package]]
name = "colorchoice"
version = "1.0.0"
@@ -1110,6 +1187,12 @@ version = "0.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1435fa1053d8b2fbbe9be7e97eca7f33d37b28409959813daefc1446a14247f1"
+[[package]]
+name = "dunce"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56ce8c6da7551ec6c462cbaf3bfbc75131ebbfa1c944aeaa9dab51ca1c5f0c3b"
+
[[package]]
name = "either"
version = "1.10.0"
@@ -1348,6 +1431,12 @@ version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6c2141d6d6c8512188a7891b4b01590a45f6dac67afb4f255c4124dbb86d4eaa"
+[[package]]
+name = "fs_extra"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"
+
[[package]]
name = "funty"
version = "2.0.0"
@@ -1834,6 +1923,15 @@ version = "1.0.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b1a46d1a171d865aa5f83f92695765caa047a9b4cbae2cbf37dbd613a793fd4c"
+[[package]]
+name = "jobserver"
+version = "0.1.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d2b099aaa34a9751c5bf0878add70444e1ed2dd73f347be99003d4577277de6e"
+dependencies = [
+ "libc",
+]
+
[[package]]
name = "js-sys"
version = "0.3.69"
@@ -1861,12 +1959,28 @@ dependencies = [
"spin 0.5.2",
]
+[[package]]
+name = "lazycell"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
+
[[package]]
name = "libc"
version = "0.2.153"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd"
+[[package]]
+name = "libloading"
+version = "0.8.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e310b3a6b5907f99202fcdb4960ff45b93735d7c7d96b760fcff8db2dc0e103d"
+dependencies = [
+ "cfg-if",
+ "windows-targets 0.48.5",
+]
+
[[package]]
name = "libm"
version = "0.2.8"
@@ -2009,6 +2123,12 @@ dependencies = [
"windows-sys 0.48.0",
]
+[[package]]
+name = "mirai-annotations"
+version = "1.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c9be0862c1b3f26a88803c4a49de6889c10e608b3ee9344e6ef5b45fb37ad3d1"
+
[[package]]
name = "mockall"
version = "0.11.4"
@@ -2483,6 +2603,16 @@ dependencies = [
"termtree",
]
+[[package]]
+name = "prettyplease"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8d3928fb5db768cb86f891ff014f0144589297e3c6a1aba6ed7cecfdace270c7"
+dependencies = [
+ "proc-macro2",
+ "syn 2.0.52",
+]
+
[[package]]
name = "proc-macro-crate"
version = "3.1.0"
@@ -2803,6 +2933,12 @@ version = "0.1.23"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76"
+[[package]]
+name = "rustc-hash"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2"
+
[[package]]
name = "rustix"
version = "0.37.27"
@@ -2832,31 +2968,44 @@ dependencies = [
[[package]]
name = "rustls"
-version = "0.21.11"
+version = "0.23.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fecbfb7b1444f477b345853b1fce097a2c6fb637b2bfb87e6bc5db0f043fae4"
+checksum = "4828ea528154ae444e5a642dbb7d5623354030dc9822b83fd9bb79683c7399d0"
dependencies = [
+ "aws-lc-rs",
+ "once_cell",
"ring",
+ "rustls-pki-types",
"rustls-webpki",
- "sct",
+ "subtle",
+ "zeroize",
]
[[package]]
name = "rustls-pemfile"
-version = "1.0.4"
+version = "2.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c"
+checksum = "29993a25686778eb88d4189742cd713c9bce943bc54251a33509dc63cbacf73d"
dependencies = [
- "base64 0.21.7",
+ "base64 0.22.0",
+ "rustls-pki-types",
]
+[[package]]
+name = "rustls-pki-types"
+version = "1.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "976295e77ce332211c0d24d92c0e83e50f5c5f046d11082cea19f3df13a3562d"
+
[[package]]
name = "rustls-webpki"
-version = "0.101.7"
+version = "0.102.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765"
+checksum = "f9a6fccd794a42c2c105b513a2f62bc3fd8f3ba57a4593677ceb0bd035164d78"
dependencies = [
+ "aws-lc-rs",
"ring",
+ "rustls-pki-types",
"untrusted",
]
@@ -2920,16 +3069,6 @@ version = "1.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
-[[package]]
-name = "sct"
-version = "0.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414"
-dependencies = [
- "ring",
- "untrusted",
-]
-
[[package]]
name = "seahash"
version = "4.1.0"
@@ -3061,6 +3200,12 @@ dependencies = [
"digest",
]
+[[package]]
+name = "shlex"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
[[package]]
name = "signal-hook"
version = "0.3.17"
@@ -4237,9 +4382,24 @@ dependencies = [
[[package]]
name = "webpki-roots"
-version = "0.25.4"
+version = "0.26.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bd7c23921eeb1713a4e851530e9b9756e4fb0e89978582942612524cf09f01cd"
+dependencies = [
+ "rustls-pki-types",
+]
+
+[[package]]
+name = "which"
+version = "4.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f20c57d8d7db6d3b86154206ae5d8fba62dd39573114de97c2cb0578251f8e1"
+checksum = "87ba24419a2078cd2b0f2ede2691b6c66d8e47836da3b6db8265ebad47afbfc7"
+dependencies = [
+ "either",
+ "home",
+ "once_cell",
+ "rustix 0.38.31",
+]
[[package]]
name = "whoami"
@@ -4466,3 +4626,17 @@ name = "zeroize"
version = "1.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d"
+dependencies = [
+ "zeroize_derive",
+]
+
+[[package]]
+name = "zeroize_derive"
+version = "1.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.52",
+]
diff --git a/Cargo.toml b/Cargo.toml
index b73630eac0..b508f4dde4 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -78,7 +78,9 @@ runtime-tokio = ["_rt-tokio", "sqlx-core/_rt-tokio", "sqlx-macros?/_rt-tokio"]
# TLS features
tls-native-tls = ["sqlx-core/_tls-native-tls", "sqlx-macros?/_tls-native-tls"]
-tls-rustls = ["sqlx-core/_tls-rustls", "sqlx-macros?/_tls-rustls"]
+tls-rustls = ["tls-rustls-ring"] # For backwards compatibility
+tls-rustls-aws-lc-rs = ["sqlx-core/_tls-rustls-aws-lc-rs", "sqlx-macros?/_tls-rustls-aws-lc-rs"]
+tls-rustls-ring = ["sqlx-core/_tls-rustls-ring", "sqlx-macros?/_tls-rustls-ring"]
# No-op feature used by the workflows to compile without TLS enabled. Not meant for general use.
tls-none = []
@@ -86,10 +88,10 @@ tls-none = []
# Legacy Runtime + TLS features
runtime-async-std-native-tls = ["runtime-async-std", "tls-native-tls"]
-runtime-async-std-rustls = ["runtime-async-std", "tls-rustls"]
+runtime-async-std-rustls = ["runtime-async-std", "tls-rustls-ring"]
runtime-tokio-native-tls = ["runtime-tokio", "tls-native-tls"]
-runtime-tokio-rustls = ["runtime-tokio", "tls-rustls"]
+runtime-tokio-rustls = ["runtime-tokio", "tls-rustls-ring"]
# for conditional compilation
_rt-async-std = []
diff --git a/README.md b/README.md
index 46a9c3b8dd..628b77aed3 100644
--- a/README.md
+++ b/README.md
@@ -75,7 +75,7 @@ SQLx is an async, pure Rust† SQL crate featuring compile-time check
† The SQLite driver uses the libsqlite3 C library as SQLite is an embedded database (the only way
we could be pure Rust for SQLite is by porting _all_ of SQLite to Rust).
-†† SQLx uses `#![forbid(unsafe_code)]` unless the `sqlite` feature is enabled.
+†† SQLx uses `#![forbid(unsafe_code)]` unless the `sqlite` feature is enabled.
The SQLite driver directly invokes the SQLite3 API via `libsqlite3-sys`, which requires `unsafe`.
@@ -128,15 +128,19 @@ SQLx is compatible with the [`async-std`], [`tokio`], and [`actix`] runtimes; an
sqlx = { version = "0.7", features = [ "runtime-tokio" ] }
# tokio + native-tls
sqlx = { version = "0.7", features = [ "runtime-tokio", "tls-native-tls" ] }
-# tokio + rustls
-sqlx = { version = "0.7", features = [ "runtime-tokio", "tls-rustls" ] }
+# tokio + rustls with ring
+sqlx = { version = "0.7", features = [ "runtime-tokio", "tls-rustls-ring" ] }
+# tokio + rustls with aws-lc-rs
+sqlx = { version = "0.7", features = [ "runtime-tokio", "tls-rustls-aws-lc-rs" ] }
# async-std (no TLS)
sqlx = { version = "0.7", features = [ "runtime-async-std" ] }
# async-std + native-tls
sqlx = { version = "0.7", features = [ "runtime-async-std", "tls-native-tls" ] }
-# async-std + rustls
-sqlx = { version = "0.7", features = [ "runtime-async-std", "tls-rustls" ] }
+# async-std + rustls with ring
+sqlx = { version = "0.7", features = [ "runtime-async-std", "tls-rustls-ring" ] }
+# async-std + rustls with aws-lc-rs
+sqlx = { version = "0.7", features = [ "runtime-async-std", "tls-rustls-aws-lc-rs" ] }
```
#### Cargo Feature Flags
@@ -387,7 +391,7 @@ Differences from `query()`:
[dotenv]: https://github.com/dotenv-rs/dotenv#examples
The biggest downside to `query!()` is that the output type cannot be named (due to Rust not
-officially supporting anonymous records). To address that, there is a `query_as!()` macro that is
+officially supporting anonymous records). To address that, there is a `query_as!()` macro that is
mostly identical except that you can name the output type.
```rust
diff --git a/sqlx-core/Cargo.toml b/sqlx-core/Cargo.toml
index f19c1a1e0d..5d1198bc9b 100644
--- a/sqlx-core/Cargo.toml
+++ b/sqlx-core/Cargo.toml
@@ -22,6 +22,8 @@ json = ["serde", "serde_json"]
_rt-async-std = ["async-std", "async-io"]
_rt-tokio = ["tokio", "tokio-stream"]
_tls-native-tls = ["native-tls"]
+_tls-rustls-aws-lc-rs = ["_tls-rustls", "rustls/aws-lc-rs"]
+_tls-rustls-ring = ["_tls-rustls", "rustls/ring"]
_tls-rustls = ["rustls", "rustls-pemfile", "webpki-roots"]
_tls-none = []
@@ -36,9 +38,9 @@ tokio = { workspace = true, optional = true }
# TLS
native-tls = { version = "0.2.10", optional = true }
-rustls = { version = "0.21.11", default-features = false, features = ["dangerous_configuration", "tls12"], optional = true }
-rustls-pemfile = { version = "1.0", optional = true }
-webpki-roots = { version = "0.25", optional = true }
+rustls = { version = "0.23.11", default-features = false, features = ["std", "tls12"], optional = true }
+rustls-pemfile = { version = "2", optional = true }
+webpki-roots = { version = "0.26", optional = true }
# Type Integrations
bit-vec = { workspace = true, optional = true }
diff --git a/sqlx-core/src/net/tls/tls_rustls.rs b/sqlx-core/src/net/tls/tls_rustls.rs
index e958fdef3d..2ea16c854a 100644
--- a/sqlx-core/src/net/tls/tls_rustls.rs
+++ b/sqlx-core/src/net/tls/tls_rustls.rs
@@ -2,12 +2,15 @@ use futures_util::future;
use std::io::{self, BufReader, Cursor, Read, Write};
use std::sync::Arc;
use std::task::{Context, Poll};
-use std::time::SystemTime;
use rustls::{
- client::{ServerCertVerified, ServerCertVerifier, WebPkiVerifier},
- CertificateError, ClientConfig, ClientConnection, Error as TlsError, OwnedTrustAnchor,
- RootCertStore, ServerName,
+ client::{
+ danger::{ServerCertVerified, ServerCertVerifier},
+ WebPkiServerVerifier,
+ },
+ crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider},
+ pki_types::{CertificateDer, PrivateKeyDer, ServerName, UnixTime},
+ CertificateError, ClientConfig, ClientConnection, Error as TlsError, RootCertStore,
};
use crate::error::Error;
@@ -85,7 +88,15 @@ pub async fn handshake(socket: S, tls_config: TlsConfig<'_>) -> Result) -> Result, Error> {
+fn certs_from_pem(pem: Vec) -> Result>, Error> {
let cur = Cursor::new(pem);
let mut reader = BufReader::new(cur);
- rustls_pemfile::certs(&mut reader)?
- .into_iter()
- .map(|v| Ok(rustls::Certificate(v)))
+ rustls_pemfile::certs(&mut reader)
+ .map(|result| result.map_err(|err| Error::Tls(err.into())))
.collect()
}
-fn private_key_from_pem(pem: Vec) -> Result {
+fn private_key_from_pem(pem: Vec) -> Result, Error> {
let cur = Cursor::new(pem);
let mut reader = BufReader::new(cur);
-
- loop {
- match rustls_pemfile::read_one(&mut reader)? {
- Some(
- rustls_pemfile::Item::RSAKey(key)
- | rustls_pemfile::Item::PKCS8Key(key)
- | rustls_pemfile::Item::ECKey(key),
- ) => return Ok(rustls::PrivateKey(key)),
- None => break,
- _ => {}
- }
+ match rustls_pemfile::private_key(&mut reader) {
+ Ok(Some(key)) => Ok(key),
+ Ok(None) => Err(Error::Configuration("no keys found pem file".into())),
+ Err(e) => Err(Error::Configuration(e.to_string().into())),
}
-
- Err(Error::Configuration("no keys found pem file".into()))
}
-struct DummyTlsVerifier;
+#[derive(Debug)]
+struct DummyTlsVerifier {
+ provider: Arc,
+}
impl ServerCertVerifier for DummyTlsVerifier {
fn verify_server_cert(
&self,
- _end_entity: &rustls::Certificate,
- _intermediates: &[rustls::Certificate],
- _server_name: &ServerName,
- _scts: &mut dyn Iterator- ,
+ _end_entity: &CertificateDer<'_>,
+ _intermediates: &[CertificateDer<'_>],
+ _server_name: &ServerName<'_>,
_ocsp_response: &[u8],
- _now: SystemTime,
+ _now: UnixTime,
) -> Result {
Ok(ServerCertVerified::assertion())
}
+
+ fn verify_tls12_signature(
+ &self,
+ message: &[u8],
+ cert: &CertificateDer<'_>,
+ dss: &rustls::DigitallySignedStruct,
+ ) -> Result {
+ verify_tls12_signature(
+ message,
+ cert,
+ dss,
+ &self.provider.signature_verification_algorithms,
+ )
+ }
+
+ fn verify_tls13_signature(
+ &self,
+ message: &[u8],
+ cert: &CertificateDer<'_>,
+ dss: &rustls::DigitallySignedStruct,
+ ) -> Result {
+ verify_tls13_signature(
+ message,
+ cert,
+ dss,
+ &self.provider.signature_verification_algorithms,
+ )
+ }
+
+ fn supported_verify_schemes(&self) -> Vec {
+ self.provider
+ .signature_verification_algorithms
+ .supported_schemes()
+ }
}
+#[derive(Debug)]
pub struct NoHostnameTlsVerifier {
- verifier: WebPkiVerifier,
+ verifier: Arc,
}
impl ServerCertVerifier for NoHostnameTlsVerifier {
fn verify_server_cert(
&self,
- end_entity: &rustls::Certificate,
- intermediates: &[rustls::Certificate],
- server_name: &ServerName,
- scts: &mut dyn Iterator
- ,
+ end_entity: &CertificateDer<'_>,
+ intermediates: &[CertificateDer<'_>],
+ server_name: &ServerName<'_>,
ocsp_response: &[u8],
- now: SystemTime,
+ now: UnixTime,
) -> Result {
match self.verifier.verify_server_cert(
end_entity,
intermediates,
server_name,
- scts,
ocsp_response,
now,
) {
@@ -247,4 +283,26 @@ impl ServerCertVerifier for NoHostnameTlsVerifier {
res => res,
}
}
+
+ fn verify_tls12_signature(
+ &self,
+ message: &[u8],
+ cert: &CertificateDer<'_>,
+ dss: &rustls::DigitallySignedStruct,
+ ) -> Result {
+ self.verifier.verify_tls12_signature(message, cert, dss)
+ }
+
+ fn verify_tls13_signature(
+ &self,
+ message: &[u8],
+ cert: &CertificateDer<'_>,
+ dss: &rustls::DigitallySignedStruct,
+ ) -> Result {
+ self.verifier.verify_tls13_signature(message, cert, dss)
+ }
+
+ fn supported_verify_schemes(&self) -> Vec {
+ self.verifier.supported_verify_schemes()
+ }
}
diff --git a/sqlx-macros-core/Cargo.toml b/sqlx-macros-core/Cargo.toml
index aa9bb95044..7a7ba1a30e 100644
--- a/sqlx-macros-core/Cargo.toml
+++ b/sqlx-macros-core/Cargo.toml
@@ -15,7 +15,8 @@ _rt-async-std = ["async-std", "sqlx-core/_rt-async-std"]
_rt-tokio = ["tokio", "sqlx-core/_rt-tokio"]
_tls-native-tls = ["sqlx-core/_tls-native-tls"]
-_tls-rustls = ["sqlx-core/_tls-rustls"]
+_tls-rustls-aws-lc-rs = ["sqlx-core/_tls-rustls-aws-lc-rs"]
+_tls-rustls-ring = ["sqlx-core/_tls-rustls-ring"]
# SQLx features
derive = []
diff --git a/sqlx-macros/Cargo.toml b/sqlx-macros/Cargo.toml
index cb4d1b91c3..813a00b46d 100644
--- a/sqlx-macros/Cargo.toml
+++ b/sqlx-macros/Cargo.toml
@@ -18,7 +18,8 @@ _rt-async-std = ["sqlx-macros-core/_rt-async-std"]
_rt-tokio = ["sqlx-macros-core/_rt-tokio"]
_tls-native-tls = ["sqlx-macros-core/_tls-native-tls"]
-_tls-rustls = ["sqlx-macros-core/_tls-rustls"]
+_tls-rustls-aws-lc-rs = ["sqlx-macros-core/_tls-rustls-aws-lc-rs"]
+_tls-rustls-ring = ["sqlx-macros-core/_tls-rustls-ring"]
# SQLx features
derive = ["sqlx-macros-core/derive"]
diff --git a/src/lib.md b/src/lib.md
index 0eab5eeb64..aa45b15730 100644
--- a/src/lib.md
+++ b/src/lib.md
@@ -1,6 +1,6 @@
The async SQL toolkit for Rust, built with ❤️ by [the LaunchBadge team].
-See our [README] to get started or [browse our example projects].
+See our [README] to get started or [browse our example projects].
Have a question? [Check our FAQ] or [open a discussion].
### Runtime Support
@@ -15,36 +15,42 @@ You choose which runtime SQLx uses by default by enabling one of the following f
The `runtime-actix` feature also exists but is an alias of `runtime-tokio`.
If more than one runtime feature is enabled, the Tokio runtime is used if a Tokio context exists on the current
-thread, i.e. [`tokio::runtime::Handle::try_current()`] returns `Ok`; `async-std` is used otherwise.
+thread, i.e. [`tokio::runtime::Handle::try_current()`] returns `Ok`; `async-std` is used otherwise.
Note that while SQLx no longer produces a compile error if zero or multiple runtime features are enabled,
-which is useful for libraries building on top of it,
+which is useful for libraries building on top of it,
**the use of nearly any async function in the API will panic without at least one runtime feature enabled**.
-The chief exception is the SQLite driver, which is runtime-agnostic, including its integration with the query macros.
-However, [`SqlitePool`][crate::sqlite::SqlitePool] _does_ require runtime support for timeouts and spawning
+The chief exception is the SQLite driver, which is runtime-agnostic, including its integration with the query macros.
+However, [`SqlitePool`][crate::sqlite::SqlitePool] _does_ require runtime support for timeouts and spawning
internal management tasks.
### TLS Support
-For securely communicating with SQL servers over an untrusted network connection such as the internet,
+For securely communicating with SQL servers over an untrusted network connection such as the internet,
you can enable Transport Layer Security (TLS) by enabling one of the following features:
* `tls-native-tls`: Enables the [`native-tls`] backend which uses the OS-native TLS capabilities:
* SecureTransport on macOS.
* SChannel on Windows.
* OpenSSL on all other platforms.
-* `tls-rustls`: Enables the [RusTLS] backend, a crossplatform TLS library.
- * Only supports TLS revisions 1.2 and 1.3.
- * If you get `HandshakeFailure` errors when using this feature, it likely means your database server does not support
+* `tls-rustls`: Enables the [rustls] backend, a cross-platform TLS library.
+ * Only supports TLS revisions 1.2 and 1.3.
+ * If you get `HandshakeFailure` errors when using this feature, it likely means your database server does not support
these newer revisions. This might be resolved by enabling or switching to the `tls-native-tls` feature.
-
+ * rustls supports several providers of cryptographic primitives. The default
+ (enabled when you use the `tls-rustls` feature or `tls-rustls-ring`) is the
+ `ring` provider, which has fewer build-time dependencies but also has fewer
+ features. Alternatively, you can use `tls-rustls-aws-lc-rs` to use the
+ `aws-lc-rs` provider, which enables additional cipher suite support at the cost
+ of more onerous build requirements (depending on platform support).
+
If more than one TLS feature is enabled, the `tls-native-tls` feature takes precedent so that it is only necessary to enable
it to see if it resolves the `HandshakeFailure` error without disabling `tls-rustls`.
Consult the user manual for your database to find the TLS versions it supports.
-If your connection configuration requires a TLS upgrade but TLS support was not enabled, the connection attempt
+If your connection configuration requires a TLS upgrade but TLS support was not enabled, the connection attempt
will return an error.
The legacy runtime+TLS combination feature flags are still supported, but for forward-compatibility, use of the separate
@@ -59,4 +65,4 @@ runtime and TLS feature flags is recommended.
[async-std]: https://www.async.rs
[`tokio::runtime::Handle::try_current()`]: https://docs.rs/tokio/latest/tokio/runtime/struct.Handle.html#method.try_current
[`native-tls`]: https://docs.rs/native-tls/latest/native_tls/
-[RusTLS]: https://docs.rs/rustls/latest/rustls/
+[rustls]: https://docs.rs/rustls/latest/rustls/