Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CfT: Test out Rustup's reqwest backend with rustls #3806

Open
2 tasks done
Tracked by #3790
rami3l opened this issue May 4, 2024 · 5 comments
Open
2 tasks done
Tracked by #3790

CfT: Test out Rustup's reqwest backend with rustls #3806

rami3l opened this issue May 4, 2024 · 5 comments
Labels
help wanted meta This issue is related to project management.

Comments

@rami3l
Copy link
Member

rami3l commented May 4, 2024

In #3790, we have started an initiative to make reqwest/rustls Rustup's future download/TLS backend combination.

While a maximally-Rust stack might sound exciting, we want to get it tested beforehand to minimize the possibility for you to experience hiccups in production.

If you're using Rustup v1.28+, this should be available for you by default 1 ; for Rustup v1.27 and earlier, chances are you can opt in right now by setting the environment variable RUSTUP_USE_RUSTLS=1 2 .

Please feel free to share your experiences below, and many thanks in advance 🙇‍♀️

Note

You can report in this issue the changes that switching to rustls has made to your workflow, so I assume most of them are breakages: what worked before but now doesn’t work with rustls.
Of course, it could also be the opposite, i.e. what didn't work but now works.

If you can’t feel any difference, that’s actually a good news for us! Just reacting with 😄3 to this message would be perfect in this case :)

Tasks

  1. dependencies

Footnotes

  1. At the time of writing, the only exceptions are powerpc64*, loongarch*, *openbsd* and *illumos*.

  2. Please make sure that RUSTUP_USE_CURL is NOT set, otherwise the curl download backend will be selected; to opt out, just set RUSTUP_USE_RUSTLS=0.

  3. GitHub has recently replaced the emoji with 😂, I have no idea why this is the case 🤷‍♀ No, they have changed it back, never mind :)

@rami3l rami3l changed the title Collect user feedback on the new default Meta: Test out the reqwest backend with rustls May 4, 2024
@rami3l rami3l changed the title Meta: Test out the reqwest backend with rustls CfT: Test out the reqwest backend with rustls May 4, 2024
@U007D
Copy link

U007D commented May 4, 2024

LGTM! 👍🏾

@rami3l
Copy link
Member Author

rami3l commented May 4, 2024

An interesting observation by @llde indicates that this change might be a move in the right direction!

RUSTUP_USE_RUSTLS=1 seems to be another workaround with last rustup version.

#3689 (comment)

@rami3l rami3l changed the title CfT: Test out the reqwest backend with rustls CfT: Test out Rustup's reqwest backend with rustls May 5, 2024
@U007D
Copy link

U007D commented May 7, 2024

This CfT has been added to TWiR Issue 546.

You may now remove the call-for-testing label. Please feel free to re-add the label if you wish this CfT to appear again in a future issue.

@rami3l rami3l added help wanted meta This issue is related to project management. and removed call-for-testing labels May 7, 2024
@kornelski
Copy link
Contributor

kornelski commented May 11, 2024

Rustls is completely unusable with the WARP Gateway (a corporate VPN) due to lack of support for p521 signatures.

RUSTUP_USE_RUSTLS=1 rustup update
info: syncing channel updates for 'stable-aarch64-apple-darwin'
error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256' to '~/.rustup/tmp/pnvxaiia4u2hcr_n_file'
info: syncing channel updates for 'nightly-aarch64-apple-darwin'
error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-nightly.toml.sha256' to '~/.rustup/tmp/ay1l00g5xg91pnuc_file'
info: syncing channel updates for '1.63-aarch64-apple-darwin'
error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-1.63.toml.sha256' to '~/.rustup/tmp/0oaqi61f4mgwqa4n_file'
info: syncing channel updates for '1.64-aarch64-apple-darwin'
error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-1.64.toml.sha256' to '~/.rustup/tmp/9rhc8csclaotwleh_file'
info: syncing channel updates for '1.65-aarch64-apple-darwin'
error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-1.65.toml.sha256' to '~/.rustup/tmp/26d6fm0my9i9sgvg_file'
info: checking for self-update
error: could not download file from 'https://static.rust-lang.org/rustup/release-stable.toml' to '/var/folders/lq/fqqfw_z50v96h8tlkj56c8wc0000gn/T/rustup-update5PMZuE/release-stable.toml'

Caused by:
    0: failed to make network request
    1: error sending request for url (https://static.rust-lang.org/rustup/release-stable.toml): error trying to connect: invalid peer certificate: BadSignature
    2: error trying to connect: invalid peer certificate: BadSignature
    3: invalid peer certificate: BadSignature

The curl backend has no problems with it.

@djc
Copy link
Contributor

djc commented May 11, 2024

@kornelski interesting... So WARP MITMs all connections, and only supports P521 for this? That seems pretty restrictive and a little surprising. Or is this configurable for WARP and does your WARP org require the stronger curve?

https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/ suggests that RSA is supported for custom roots so it doesn't look like P521 is a requirement for the product itself?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted meta This issue is related to project management.
Projects
None yet
Development

No branches or pull requests

4 participants