feat(tls): Remove tls roots implicit configuration #1731
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tottoto
changed the title
tottoto
changed the title
|
Mentioned this on Discord, just repeating it here so it doesn't get lost: why do you want to remove the TLS roots features? In #1724 you didn't want to require the caller to have to depend on rustls-pemfile directly, so this seems to be reasoning in the opposite direction. |
|
They share the same philosophy of increasing the user's freedom of configuration without compromising ease of use as much as possible, and reducing the overall complexity of tonic to lower maintenance costs. Considering that using PEM encoded certificate files when using tls is a typical use case, I think it is a redundant interface to leave the user to make that conversion as web framework. Removing tls roots and adding interfaces to add them (in exchage for increasing internal These are intended to balance easiness to use, configurability, and tonic's maintenance costs. |
|
I am okay with adding the ability to use your own CA certs but I like that idea that we provide the ability to just work with either the system or webpki root certs. I think removing this kinda makes it more tough for users. If they want more flexibility they should be using their own customer connector imo. |
|
hyper-rustls offers high-level APIs to use rustls-platform-verifier, rustls-native-certs and webpki-roots. Maybe we can reuse that code here? (I forget if tonic can build on hyper-rustls or whether there's some reason it needs to work with tokio-rustls directly.) |
|
probably legacy stuff, though I am inclined to not change this code that much. We have a new transport on the way anyways. |
tottoto
force-pushed
the
remove-tls-webpki-roots-and-tls-roots-feature
branch
from
a575f87 to
9bdf3a9
Compare
tottoto
changed the title
|
Instead of removing these features, added options to enable tls roots, and removes the implicit configuration of them. I think this change simplifies the implementation with keeping the user friendly features. |
djc
approved these changes
Jun 21, 2024
|
This makes sense to me. |
|
Would've been nice to mark this as a breaking change. Was confused that I could not connect after bumping tonic. |
5 tasks
aelesbao
added a commit
to archway-network/arch3.rs
that referenced
this pull request
Nov 2, 2024
The implicit TLS roots configuration [was removed](hyperium/tonic#1731) on `tonic` `v0.12.0`.
vigneshs-12
pushed a commit
to vigneshs-12/tonic
that referenced
this pull request
Apr 11, 2025
PR hyperium#1866 fixed the breaking change introduced in hyperium#1731, but resets the `tls_config` instead of adding the tls roots to existing config. This patch resolves the regression and also restores expected behaviour.
vigneshs-12
pushed a commit
to vigneshs-12/tonic
that referenced
this pull request
Apr 11, 2025
PR hyperium#1866 fixed the breaking change introduced in hyperium#1731, but resets the TLS config without checking if `tls` is set. This patch resolves the regression and restores expected behaviour.
github-merge-queue bot
pushed a commit
to astriaorg/astria
that referenced
this pull request
Apr 30, 2025
## Summary Add explicit TLS config for conductor when the sequencer url is https ## Background Tonic [removed implicit TLS configs](hyperium/tonic#1731) in v0.12.0 which now causes TLS errors when conductor tries to connect to a remote sequencer network over TLS.
github-merge-queue bot
pushed a commit
to astriaorg/astria
that referenced
this pull request
Apr 30, 2025
## Summary Add explicit TLS config for conductor when the sequencer url is https ## Background Tonic [removed implicit TLS configs](hyperium/tonic#1731) in v0.12.0 which now causes TLS errors when conductor tries to connect to a remote sequencer network over TLS.
github-merge-queue bot
pushed a commit
that referenced
this pull request
May 1, 2025
* fix: tls config overwrite in endpoint PR #1866 fixed the breaking change introduced in #1731, but resets the TLS config without checking if `tls` is set. This patch resolves the regression and restores expected behaviour. * fix: cargo fmt whitespace check --------- Co-authored-by: vigneshwar.sm <[email protected]> Co-authored-by: Lucio Franco <[email protected]>
github-merge-queue bot
pushed a commit
that referenced
this pull request
May 6, 2025
* Add From<T> for Response<T> (#1064) Co-authored-by: tottoto <[email protected]> * chore: Add getrandom and wasi crate to cargo-deny skip config (#2169) * chore(examples): Update to rand 0.9 (#2168) * chore(interop): Replace repeat and take with repeat_n (#2170) * Update LICENSE (#2167) * chore(transport): Update url to http crate document (#2173) * chore: Refactor redundant pattern match (#2174) * chore(transport): Remove redundant type reconstruct (#2176) * chore: Update to strum 0.27 (#2180) * feat: optional `SSLKEYLOGFILE` support (#1539) Add a `use_key_log` option to server and client TLS configs that -- when set -- will enable rustls's `SSLKEYLOGFILE` handling. This is helpful when you want to intercept TLS traffic for debugging and is generally supported by many libraries and browsers. Also see: https://wiki.wireshark.org/TLS#using-the-pre-master-secret * chore: Remove html_root_url (#2184) * chore: Remove unused mutability (#2183) * chore: Update generated code (#2222) * chore: Update cargo-deny config (#2210) * chore: Add rustix and linux-raw-sys crate to cargo-deny skip config * chore: Ignore RUSTSEC-2024-0436 * Remove unnecessary mut (#2219) * remove unnecessary mut * remove unnecessary mut for health_reporter --------- Co-authored-by: tottoto <[email protected]> * chore: fix some comments (#2224) Signed-off-by: jimmycathy <[email protected]> Co-authored-by: tottoto <[email protected]> * feat: Allow convert i32 to Code in const context (#2195) * chore: Disable unused tower feature (#2196) * chore(router): Remove unnecessary body type converting (#2214) * chore(server): Use standard library pin macro (#2212) * chore(build): Use idiomatic api (#2211) * feat(tonic): Exclude benches-disabled to remove Apache-2.0 resource (#2204) * chore(ci): Add concurrency group to cancel old ci (#2202) * chore(test): Use library crate in test (#2201) * chore: Remove unused rand crate from dev-dependencies (#2198) * chore: Remove documentation config in manifest (#2193) * chore(test): Remove unnecessary macro_use (#2200) * feat: Add proto header to generated code (#2205) * chore(router): Use upstream poll_ready to implement service (#2215) * feat(router): Use infallible as error type (#2232) * chore: Remove unnecessary license file from private crate (#2203) * chore: update changelog to point to releases (#2235) * chore: fix changelog header * chore(server): Remove import sleep and pending function (#2234) * chore(server): Refactor default http2 keepalive timeout config (#2213) * chore: Remove unnecessary docs.rs config (#2223) * feat(transport): add support for uds, unix domain socket (#2218) * feat(transport): add support for uds, unix domain socket (#2218) Previously the uds support lives as an example in the `example/src/uds` folder. Endpoint is refactored to support multiple endpoint types, including Uri and Uds. The supported unix domain socket URI follows RFC-3986 which is aligned with the gRPC naming convention. - unix:relative_path - unix:///absolute_path References: - https://datatracker.ietf.org/doc/html/rfc3986 - https://github.com/grpc/grpc/blob/master/doc/naming.md * fix feature flag error * fix windows build * fix windows build 2 * fix windows build 3 * fix windows build 4 * fix windows build 5 --------- Co-authored-by: Lucio Franco <[email protected]> * Handle stream error correctly (#2199) Co-authored-by: Lucio Franco <[email protected]> * chore: Remove resolved cargo-deny config (#2230) * Create place for grpc crate and initial contents (#2192) * Create place for grpc crate and initial contents * Cargo.toml fixes * clippy * clippy 2 * 3 * grpc-web: relax bounds for inner service's response body (#2245) * grpc-web: relax bounds for inner service's response body * address feedback * chore(test): Allow clippy::doc_overindented_list_items lint in generated code (#2246) * chore(test): Update to rand 0.9 (#2236) * chore(router): Remove unnecessary type converting (#2237) * chore(ci): Update to nightly-2025-03-27 on udeps ci (#2242) * chore(codegen): Update to protox 0.8 (#2254) * chore(ci): Remove deny job (#2255) Removing the deny ci job it has become more of a pain to manage than actually helpful. * feat: preserve request user-agent (#2250) Co-authored-by: Lucio Franco <[email protected]> * feat(server): Add method to get local addr to TcpIncoming (#2233) * feat: expose Status as a Response extension (#2145) Co-authored-by: Lucio Franco <[email protected]> * chore(server): Remove unnecessary await service ready (#2258) * chore: Use symbolic link for license file (#2241) * chore: Use inline format argument (#2260) * chore: Add `flake.nix` (#2261) * chore: Fix interop test certs (#2262) * chore: Fix interop test certs * fix bash script: * fix: tls config overwrite in endpoint (#2252) * fix: tls config overwrite in endpoint PR #1866 fixed the breaking change introduced in #1731, but resets the TLS config without checking if `tls` is set. This patch resolves the regression and restores expected behaviour. * fix: cargo fmt whitespace check --------- Co-authored-by: vigneshwar.sm <[email protected]> Co-authored-by: Lucio Franco <[email protected]> * chore(tonic-bench): Fix failing bench (#2207) Co-authored-by: Lucio Franco <[email protected]> * feat: expose creation of HealthService and HealthReporter (#2251) * Expose creation of HealthService and HealthReporter * add default impl for HealthReporter * [spr] initial version (#2264) Created using spr 1.3.6-beta.1 * Revert "[spr] initial version (#2264)" (#2265) * chore: Prepare `v0.13.1` release Reviewers: Pull Request: #2266 --------- Signed-off-by: jimmycathy <[email protected]> Co-authored-by: Amr Hassan <[email protected]> Co-authored-by: tottoto <[email protected]> Co-authored-by: Maxim Evtush <[email protected]> Co-authored-by: Marco Neumann <[email protected]> Co-authored-by: DAKAI, TZOU <[email protected]> Co-authored-by: jimmycathy <[email protected]> Co-authored-by: Adam Basfop Cavendish <[email protected]> Co-authored-by: Jakub Łabor <[email protected]> Co-authored-by: Doug Fawley <[email protected]> Co-authored-by: Brandon Williams <[email protected]> Co-authored-by: Darren Bolduc <[email protected]> Co-authored-by: Ferenc Tamás <[email protected]> Co-authored-by: Vigneshwar S <[email protected]> Co-authored-by: vigneshwar.sm <[email protected]> Co-authored-by: Rafael RL <[email protected]> Co-authored-by: Leon Hartley <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds ability to add CA certificates and removes
tls-webpki-rootsandtls-rootsfeatures.