Upgrade to hyper-rustls 0.27/rustls 0.23

CHANGELOG.md

@@ -715,12 +715,12 @@
   - Timeouts now affect DNS and socket connection.
   - Pool much better at evicting sockets when they die.
   - An `unstable` Cargo feature to enable `reqwest::unstable::async`.
-- A huge docs improvement! 
+- A huge docs improvement!
 
 ### Fixes
 
 - Publicly exports `RedirectAction` and `RedirectAttempt`
-- `Error::get_ref` returns `Error + Send + Sync`  
+- `Error::get_ref` returns `Error + Send + Sync`
 
 ### Breaking Changes
 
@@ -789,7 +789,7 @@
 
 ### Breaking Changes
 
-The only breaking change is a behavioral one, all programs should still compile without modification. The automatic GZIP decoding could interfere in cases where a user was expecting the GZIP bytes, either to save to a file or decode themselves. To restore this functionality, set `client.gzip(false)`. 
+The only breaking change is a behavioral one, all programs should still compile without modification. The automatic GZIP decoding could interfere in cases where a user was expecting the GZIP bytes, either to save to a file or decode themselves. To restore this functionality, set `client.gzip(false)`.
 
 # v0.4.0
 

Cargo.toml

@@ -41,9 +41,13 @@ native-tls-alpn = ["native-tls", "native-tls-crate?/alpn", "hyper-tls?/alpn"]
 native-tls-vendored = ["native-tls", "native-tls-crate?/vendored"]
 
 rustls-tls = ["rustls-tls-webpki-roots"]
-rustls-tls-manual-roots = ["__rustls"]
-rustls-tls-webpki-roots = ["dep:webpki-roots", "__rustls"]
-rustls-tls-native-roots = ["dep:rustls-native-certs", "__rustls"]
+rustls-tls-manual-roots = ["__rustls_crypto_ring"]
+rustls-tls-webpki-roots = ["__rustls_roots_webpki", "__rustls_crypto_ring"]
+rustls-tls-native-roots = ["__rustls_roots_native", "__rustls_crypto_ring"]
+rustls-tls-aws-lc-manual-roots = ["__rustls_crypto_aws_lc"]
+rustls-tls-aws-lc-webpki-roots = ["__rustls_roots_webpki", "__rustls_crypto_aws_lc"]
+rustls-tls-aws-lc-native-roots = ["__rustls_roots_native", "__rustls_crypto_aws_lc"]
+rustls-base = ["dep:hyper-rustls", "dep:tokio-rustls", "dep:rustls", "__tls", "rustls-pki-types"]
 
 blocking = ["futures-channel/sink", "futures-util/io", "futures-util/sink", "tokio/sync"]
 
@@ -84,9 +88,13 @@ macos-system-configuration = ["dep:system-configuration"]
 # Enables common types used for TLS. Useless on its own.
 __tls = ["dep:rustls-pemfile", "tokio/io-util"]
 
-# Enables common rustls code.
-# Equivalent to rustls-tls-manual-roots but shorter :)
-__rustls = ["dep:hyper-rustls", "dep:tokio-rustls", "dep:rustls", "__tls", "dep:rustls-pemfile", "rustls-pki-types"]
+# Provide common feature flags along two axes:
+# - crypto provider: ring or aws-lc
+# - root certificate provider: webpki-roots or rustls-native-certs
+__rustls_roots_webpki = ["dep:webpki-roots"]
+__rustls_roots_native = ["dep:rustls-native-certs"]
+__rustls_crypto_ring = ["rustls-base", "rustls/ring"]
+__rustls_crypto_aws_lc = ["rustls-base", "rustls/aws_lc_rs"]
 
 # When enabled, disable using the cached SYS_PROXIES.
 __internal_proxy_sys_no_cache = []
@@ -134,10 +142,10 @@ native-tls-crate = { version = "0.2.10", optional = true, package = "native-tls"
 tokio-native-tls = { version = "0.3.0", optional = true }
 
 # rustls-tls
-hyper-rustls = { version = "0.26.0", default-features = false, optional = true }
-rustls = { version = "0.22.2", optional = true }
-rustls-pki-types = { version = "1.1.0", features = ["alloc"] ,optional = true }
-tokio-rustls = { version = "0.25", optional = true }
+hyper-rustls = { version = "0.27", default-features = false, optional = true, features = ["http1", "http2", "logging", "native-tokio", "ring", "tls12"] }
+rustls = { version = "0.23.4", default-features = false, features = ["logging", "std", "tls12"], optional = true }
+rustls-pki-types = { version = "1.1.0", features = ["alloc"], optional = true }
+tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "ring", "tls12"], optional = true }
 webpki-roots = { version = "0.26.0", optional = true }
 rustls-native-certs = { version = "0.7", optional = true }
 

src/async_impl/client.rs

@@ -1,4 +1,4 @@
-#[cfg(any(feature = "native-tls", feature = "__rustls",))]
+#[cfg(any(feature = "native-tls", feature = "rustls-base",))]
 use std::any::Any;
 use std::net::IpAddr;
 use std::sync::Arc;
@@ -43,7 +43,7 @@ use crate::redirect::{self, remove_sensitive_headers};
 use crate::tls::{self, TlsBackend};
 #[cfg(feature = "__tls")]
 use crate::Certificate;
-#[cfg(any(feature = "native-tls", feature = "__rustls"))]
+#[cfg(any(feature = "native-tls", feature = "rustls-base"))]
 use crate::Identity;
 use crate::{IntoUrl, Method, Proxy, StatusCode, Url};
 use log::debug;
@@ -102,7 +102,7 @@ struct Config {
     pool_idle_timeout: Option<Duration>,
     pool_max_idle_per_host: usize,
     tcp_keepalive: Option<Duration>,
-    #[cfg(any(feature = "native-tls", feature = "__rustls"))]
+    #[cfg(any(feature = "native-tls", feature = "rustls-base"))]
     identity: Option<Identity>,
     proxies: Vec<Proxy>,
     auto_sys_proxy: bool,
@@ -114,9 +114,9 @@ struct Config {
     root_certs: Vec<Certificate>,
     #[cfg(feature = "__tls")]
     tls_built_in_root_certs: bool,
-    #[cfg(feature = "rustls-tls-webpki-roots")]
+    #[cfg(feature = "__rustls_roots_webpki")]
     tls_built_in_certs_webpki: bool,
-    #[cfg(feature = "rustls-tls-native-roots")]
+    #[cfg(feature = "__rustls_roots_native")]
     tls_built_in_certs_native: bool,
     #[cfg(feature = "__tls")]
     min_tls_version: Option<tls::Version>,
@@ -211,11 +211,11 @@ impl ClientBuilder {
                 root_certs: Vec::new(),
                 #[cfg(feature = "__tls")]
                 tls_built_in_root_certs: true,
-                #[cfg(feature = "rustls-tls-webpki-roots")]
+                #[cfg(feature = "__rustls_roots_webpki")]
                 tls_built_in_certs_webpki: true,
-                #[cfg(feature = "rustls-tls-native-roots")]
+                #[cfg(feature = "__rustls_roots_native")]
                 tls_built_in_certs_native: true,
-                #[cfg(any(feature = "native-tls", feature = "__rustls"))]
+                #[cfg(any(feature = "native-tls", feature = "rustls-base"))]
                 identity: None,
                 #[cfg(feature = "__tls")]
                 min_tls_version: None,
@@ -317,7 +317,7 @@ impl ClientBuilder {
             let mut http = HttpConnector::new_with_resolver(DynResolver::new(resolver.clone()));
             http.set_connect_timeout(config.connect_timeout);
 
-            #[cfg(all(feature = "http3", feature = "__rustls"))]
+            #[cfg(all(feature = "http3", feature = "rustls-base"))]
             let build_h3_connector =
                 |resolver,
                  tls,
@@ -409,7 +409,7 @@ impl ClientBuilder {
                             id.add_to_native_tls(&mut tls)?;
                         }
                     }
-                    #[cfg(all(feature = "__rustls", not(feature = "native-tls")))]
+                    #[cfg(all(feature = "rustls-base", not(feature = "native-tls")))]
                     {
                         // Default backend + rustls Identity doesn't work.
                         if let Some(_id) = config.identity {
@@ -466,7 +466,7 @@ impl ClientBuilder {
                     config.nodelay,
                     config.tls_info,
                 ),
-                #[cfg(feature = "__rustls")]
+                #[cfg(feature = "rustls-base")]
                 TlsBackend::BuiltRustls(conn) => {
                     #[cfg(feature = "http3")]
                     {
@@ -498,7 +498,10 @@ impl ClientBuilder {
                         config.tls_info,
                     )
                 }
-                #[cfg(feature = "__rustls")]
+                #[cfg(any(
+                    feature = "__rustls_crypto_ring",
+                    feature = "__rustls_crypto_aws_lc-rs"
+                ))]
                 TlsBackend::Rustls => {
                     use crate::tls::NoVerifier;
 
@@ -508,12 +511,12 @@ impl ClientBuilder {
                         cert.add_to_rustls(&mut root_cert_store)?;
                     }
 
-                    #[cfg(feature = "rustls-tls-webpki-roots")]
+                    #[cfg(feature = "__rustls_roots_webpki")]
                     if config.tls_built_in_certs_webpki {
                         root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
                     }
 
-                    #[cfg(feature = "rustls-tls-native-roots")]
+                    #[cfg(feature = "__rustls_roots_native")]
                     if config.tls_built_in_certs_native {
                         let mut valid_count = 0;
                         let mut invalid_count = 0;
@@ -566,8 +569,19 @@ impl ClientBuilder {
                     }
 
                     // Build TLS config
+                    #[cfg(feature = "__rustls_crypto_ring")]
+                    let provider = rustls::crypto::ring::default_provider();
+
+                    #[cfg(all(
+                        feature = "__rustls_crypto_aws_lc-rs",
+                        not(feature = "__rustls_crypto_ring")
+                    ))]
+                    let provider = rustls::crypto::aws_lc_rs::default_provider();
+
                     let config_builder =
-                        rustls::ClientConfig::builder_with_protocol_versions(&versions)
+                        rustls::ClientConfig::builder_with_provider(Arc::new(provider))
+                            .with_protocol_versions(&versions)
+                            .map_err(|_| crate::error::builder("invalid TLS versions"))?
                             .with_root_certificates(root_cert_store);
 
                     // Finalize TLS config
@@ -639,7 +653,7 @@ impl ClientBuilder {
                         config.tls_info,
                     )
                 }
-                #[cfg(any(feature = "native-tls", feature = "__rustls",))]
+                #[cfg(any(feature = "native-tls", feature = "rustls-base",))]
                 TlsBackend::UnknownPreconfigured => {
                     return Err(crate::error::builder(
                         "Unknown TLS backend passed to `use_preconfigured_tls`",
@@ -1400,12 +1414,12 @@ impl ClientBuilder {
     pub fn tls_built_in_root_certs(mut self, tls_built_in_root_certs: bool) -> ClientBuilder {
         self.config.tls_built_in_root_certs = tls_built_in_root_certs;
 
-        #[cfg(feature = "rustls-tls-webpki-roots")]
+        #[cfg(feature = "__rustls_roots_webpki")]
         {
             self.config.tls_built_in_certs_webpki = tls_built_in_root_certs;
         }
 
-        #[cfg(feature = "rustls-tls-native-roots")]
+        #[cfg(feature = "__rustls_roots_native")]
         {
             self.config.tls_built_in_certs_native = tls_built_in_root_certs;
         }
@@ -1416,8 +1430,8 @@ impl ClientBuilder {
     /// Sets whether to load webpki root certs with rustls.
     ///
     /// If the feature is enabled, this value is `true` by default.
-    #[cfg(feature = "rustls-tls-webpki-roots")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-webpki-roots")))]
+    #[cfg(feature = "__rustls_roots_webpki")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "__rustls_roots_webpki")))]
     pub fn tls_built_in_webpki_certs(mut self, enabled: bool) -> ClientBuilder {
         self.config.tls_built_in_certs_webpki = enabled;
         self
@@ -1426,8 +1440,8 @@ impl ClientBuilder {
     /// Sets whether to load native root certs with rustls.
     ///
     /// If the feature is enabled, this value is `true` by default.
-    #[cfg(feature = "rustls-tls-native-roots")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-native-roots")))]
+    #[cfg(feature = "__rustls_roots_native")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "__rustls_roots_native")))]
     pub fn tls_built_in_native_certs(mut self, enabled: bool) -> ClientBuilder {
         self.config.tls_built_in_certs_native = enabled;
         self
@@ -1439,7 +1453,7 @@ impl ClientBuilder {
     ///
     /// This requires the optional `native-tls` or `rustls-tls(-...)` feature to be
     /// enabled.
-    #[cfg(any(feature = "native-tls", feature = "__rustls"))]
+    #[cfg(any(feature = "native-tls", feature = "rustls-base"))]
     #[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))]
     pub fn identity(mut self, identity: Identity) -> ClientBuilder {
         self.config.identity = Some(identity);
@@ -1606,8 +1620,17 @@ impl ClientBuilder {
     /// # Optional
     ///
     /// This requires the optional `rustls-tls(-...)` feature to be enabled.
-    #[cfg(feature = "__rustls")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls")))]
+    #[cfg(any(
+        feature = "__rustls_crypto_ring",
+        feature = "__rustls_crypto_aws_lc-rs"
+    ))]
+    #[cfg_attr(
+        docsrs,
+        doc(cfg(any(
+            feature = "__rustls_crypto_ring",
+            feature = "__rustls_crypto_aws_lc-rs"
+        )))
+    )]
     pub fn use_rustls_tls(mut self) -> ClientBuilder {
         self.config.tls = TlsBackend::Rustls;
         self
@@ -1631,7 +1654,7 @@ impl ClientBuilder {
     ///
     /// This requires one of the optional features `native-tls` or
     /// `rustls-tls(-...)` to be enabled.
-    #[cfg(any(feature = "native-tls", feature = "__rustls",))]
+    #[cfg(any(feature = "native-tls", feature = "rustls-base",))]
     #[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))]
     pub fn use_preconfigured_tls(mut self, tls: impl Any) -> ClientBuilder {
         let mut tls = Some(tls);
@@ -1644,7 +1667,7 @@ impl ClientBuilder {
                 return self;
             }
         }
-        #[cfg(feature = "__rustls")]
+        #[cfg(feature = "rustls-base")]
         {
             if let Some(conn) =
                 (&mut tls as &mut dyn Any).downcast_mut::<Option<rustls::ClientConfig>>()
@@ -2244,7 +2267,7 @@ impl Config {
             f.field("tls_info", &self.tls_info);
         }
 
-        #[cfg(all(feature = "default-tls", feature = "__rustls"))]
+        #[cfg(all(feature = "default-tls", feature = "rustls-base"))]
         {
             f.field("tls_backend", &self.tls);
         }

src/blocking/client.rs

@@ -1,4 +1,4 @@
-#[cfg(any(feature = "native-tls", feature = "__rustls",))]
+#[cfg(any(feature = "native-tls", feature = "rustls-base",))]
 use std::any::Any;
 use std::convert::TryInto;
 use std::fmt;
@@ -21,7 +21,7 @@ use crate::dns::Resolve;
 use crate::tls;
 #[cfg(feature = "__tls")]
 use crate::Certificate;
-#[cfg(any(feature = "native-tls", feature = "__rustls"))]
+#[cfg(any(feature = "native-tls", feature = "rustls-base"))]
 use crate::Identity;
 use crate::{async_impl, header, redirect, IntoUrl, Method, Proxy};
 
@@ -630,17 +630,17 @@ impl ClientBuilder {
     /// Sets whether to load webpki root certs with rustls.
     ///
     /// If the feature is enabled, this value is `true` by default.
-    #[cfg(feature = "rustls-tls-webpki-roots")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-webpki-roots")))]
+    #[cfg(feature = "__rustls_roots_webpki")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "__rustls_roots_webpki")))]
     pub fn tls_built_in_webpki_certs(self, enabled: bool) -> ClientBuilder {
         self.with_inner(move |inner| inner.tls_built_in_webpki_certs(enabled))
     }
 
     /// Sets whether to load native root certs with rustls.
     ///
     /// If the feature is enabled, this value is `true` by default.
-    #[cfg(feature = "rustls-tls-native-roots")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-native-roots")))]
+    #[cfg(feature = "__rustls_roots_native")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "__rustls_roots_native")))]
     pub fn tls_built_in_native_certs(self, enabled: bool) -> ClientBuilder {
         self.with_inner(move |inner| inner.tls_built_in_native_certs(enabled))
     }
@@ -651,7 +651,7 @@ impl ClientBuilder {
     ///
     /// This requires the optional `native-tls` or `rustls-tls(-...)` feature to be
     /// enabled.
-    #[cfg(any(feature = "native-tls", feature = "__rustls"))]
+    #[cfg(any(feature = "native-tls", feature = "rustls-base"))]
     #[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))]
     pub fn identity(self, identity: Identity) -> ClientBuilder {
         self.with_inner(move |inner| inner.identity(identity))
@@ -795,7 +795,7 @@ impl ClientBuilder {
     /// # Optional
     ///
     /// This requires the optional `rustls-tls(-...)` feature to be enabled.
-    #[cfg(feature = "__rustls")]
+    #[cfg(feature = "rustls-base")]
     #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls")))]
     pub fn use_rustls_tls(self) -> ClientBuilder {
         self.with_inner(move |inner| inner.use_rustls_tls())
@@ -838,7 +838,7 @@ impl ClientBuilder {
     ///
     /// This requires one of the optional features `native-tls` or
     /// `rustls-tls(-...)` to be enabled.
-    #[cfg(any(feature = "native-tls", feature = "__rustls",))]
+    #[cfg(any(feature = "native-tls", feature = "rustls-base",))]
     #[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))]
     pub fn use_preconfigured_tls(self, tls: impl Any) -> ClientBuilder {
         self.with_inner(move |inner| inner.use_preconfigured_tls(tls))