Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: update rustls v0.20.1 -> v0.21.0 #1791

Merged
merged 1 commit into from
May 16, 2023
Merged

deps: update rustls v0.20.1 -> v0.21.0 #1791

merged 1 commit into from
May 16, 2023

Conversation

cpu
Copy link
Contributor

@cpu cpu commented Mar 24, 2023
edited by seanmonstar
Loading

Description

This commit updates reqwest to use rustls 0.21.0, both as a direct dependency and through an update of tokio-rustls to 0.24.0, hyper-rustls to 0.24.0, quinn 0.10.0, and h3-quinn to 0.0.3.

One change is required in the reqwest codebase to adjust the import location of the DigtallySignedStruct type.

Remaining work

@seanmonstar
Copy link
Owner

As a side note, part of my point of making h3 "experimental" is specifically so we can update rustls if need be, and "break" the h3 code for a time. At the same time, if the upgrade isn't urgent, it'd be kinder to keep the h3 stuff from being turned off.

@cpu cpu mentioned this pull request Mar 27, 2023
Merged
10 tasks
@cpu
Copy link
Contributor Author

cpu commented Mar 27, 2023
edited
Loading

At the same time, if the upgrade isn't urgent, it'd be kinder to keep the h3 stuff from being turned off.

I don't think there's a particularly pressing need (e.g. a security issue), but the upcoming Rustls release will bring IP address subject support and there's been a lot of user demand for that feature. I don't know if that sways your opinion one way or the other :-)

My motivation for looking at this was to ensure rustls-platform-verifier would be ready to go when the release is available, and it takes a dev-dependency on Reqwest to test that it's compatible with the Reqwest builder use_preconfigured_tls option. Like the docs mention, it's brittle with Rustls version updates requiring that both reqwest and rustls-platform-verifier be in lockstep. I've used this branch to shake out bugs but we won't be able to merge that work in the current state since it depends on this patched up Reqwest.

@cpu cpu force-pushed the cpu-rustls-0.21.0-prep branch 2 times, most recently from 9be5652 to 3fe7e81 Compare March 29, 2023 20:28
@seanmonstar
Copy link
Owner

FWIW, the h3-quinn crate was just able to update to quinn 0.9, at least.

@cpu
Copy link
Contributor Author

cpu commented Mar 30, 2023

Excellent news! Thanks for sharing. The quinn update is approved and waiting merge. I'm close to having the tokio-rustls and hyper-rustls dependencies ready. I will rebase this branch shortly.

@cpu cpu force-pushed the cpu-rustls-0.21.0-prep branch 5 times, most recently from 3f5109e to 3f5c4e8 Compare April 3, 2023 13:13
@fredrik-jansson-se
Copy link

Yay, looking forward to this as I want to migrate to rustls and need the ip address feature.

@marziply
Copy link

marziply commented Apr 4, 2023

Yay, looking forward to this as I want to migrate to rustls and need the ip address feature.

I'm in the same boat. The IP address feature is a blocker on a feature I am currently working on so I'm really keen to upgrade Reqwest when Rustls is bumped to v0.21.

@ducaale ducaale mentioned this pull request Apr 9, 2023
Merged
@seanmonstar seanmonstar mentioned this pull request Apr 17, 2023
Closed
@bartlomieju bartlomieju mentioned this pull request Apr 23, 2023
Merged
dignifiedquire added a commit to dignifiedquire/rustls-acme that referenced this pull request May 4, 2023
@dignifiedquire
feat: update deps to use rustls 0.21
8c400a7 
hyper is still blocked on seanmonstar/reqwest#1791
@dignifiedquire dignifiedquire mentioned this pull request May 4, 2023
Closed
@aviramha aviramha mentioned this pull request May 10, 2023
Merged
@cpu cpu marked this pull request as ready for review May 11, 2023 13:03
@cpu cpu mentioned this pull request May 11, 2023
Merged
@cpu
Copy link
Contributor Author

cpu commented May 11, 2023

@seanmonstar The Quinn project cut a 0.10 release and I've opened a PR against h3 to update Quinn/Rustls there as well: hyperium/h3#190

For the time being I've put a patch in to use my h3 PR branch. We can either wait for the h3 update to percolate out to merge this or I could drop the patch and we could merge without and break the experimental h3 support.

@NobodyXu NobodyXu mentioned this pull request May 12, 2023
Open
@Ruben2424
Copy link

I just published h3-quinn v0.0.3 with your changes.

@cpu
deps: update rustls v0.20.1 -> v0.21.0
9646979 
This commit updates reqwest to use rustls 0.21.0, both as a direct
dependency and through an update of tokio-rustls to 0.24.0,
hyper-rustls to 0.24.0, quinn 0.10.0, and h3-quinn to 0.0.3.

One change is required in the reqwest codebase to adjust the import
location of the `DigtallySignedStruct` type.
@cpu cpu changed the title WIP: deps: update rustls v0.20.1 -> v0.21.0 deps: update rustls v0.20.1 -> v0.21.0 May 16, 2023
@cpu
Copy link
Contributor Author

cpu commented May 16, 2023
edited
Loading

I just published h3-quinn v0.0.3 with your changes.

Thanks!

I've removed the h3/h3-quinn Cargo patches and rebased. CI seems happy and the cargo tree is only showing Rustls 0.21.0 🎉 🔒

This branch should be ready for review now.

seanmonstar
seanmonstar approved these changes May 16, 2023
View reviewed changes
Copy link
Owner

@seanmonstar seanmonstar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes here are nice and clean, all the work was upstream. Thanks!

@seanmonstar seanmonstar enabled auto-merge (squash) May 16, 2023 20:23
@seanmonstar seanmonstar merged commit a0b5ea5 into seanmonstar:master May 16, 2023
31 checks passed
@cpu cpu deleted the cpu-rustls-0.21.0-prep branch May 16, 2023 20:33
@bartlomieju
Copy link

@seanmonstar can we expect a new reqwest release with this change soon? It's the last blocker for us in Deno to upgrade ourselves to rustls 0.21.0 and I've been waiting eagerly for this PR to land. Thanks for all the work!

@seanmonstar
Copy link
Owner

yes, preparing in #1834

@complexspaces
Copy link
Contributor

I've followed up these changes with #1835, which updates webpki-roots so that the version of webpki it uses matches the version the updated hyper-rustls crate (optionally) uses to prevent duplication in downstream user dependency trees.

kodiakhq bot pushed a commit to pdylanross/fatigue that referenced this pull request May 17, 2023
@dependabot
chore: bump reqwest from 0.11.17 to 0.11.18 (#129)
e76b8a5 
Bumps reqwest from 0.11.17 to 0.11.18.

Release notes
Sourced from reqwest's releases.

v0.11.18
What's Changed

Fix RequestBuilder::json() method from overriding a previously set content-type header. An existing value will be left in place.
Upgrade internal dependencies for rustls and compression.

New Contributors

@​flyingalex made their first contribution in seanmonstar/reqwest#1833
@​cpu made their first contribution in seanmonstar/reqwest#1791




Changelog
Sourced from reqwest's changelog.

v0.11.18

Fix RequestBuilder::json() method from overriding a previously set content-type header. An existing value will be left in place.
Upgrade internal dependencies for rustls and compression.




Commits

00be85e v0.11.18
a0b5ea5 deps: update rustls v0.20.1 -> v0.21.0 (#1791)
b13ca4b bug: fix custom content-type overidden by json method (#1833)
eca2a2f CI: Enable dependabot for GitHub Action Workflow (#1831)
9de702c Speedup CI (#1830)
7e7b116 deps: Update async-compression v0.3.13 => v0.4.0 (#1828)
See full diff in compare view




Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@aviramha
Copy link

Yay!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@seanmonstar seanmonstar seanmonstar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@cpu @seanmonstar @fredrik-jansson-se @marziply @Ruben2424 @bartlomieju @complexspaces @aviramha