Migrate to rustls
#820
Migrate to rustls
#820
Conversation
|
Skipping CI for Draft Pull Request. |
istio-testing
added
do-not-merge/work-in-progress
.cargo/config.toml
Outdated
| @@ -1,5 +1,5 @@ | |||
| [build] | |||
| target-dir = "out/rust" | |||
| [env] | |||
| BORING_BSSL_PATH = { value = "vendor/boringssl-fips/linux_x86_64", force = true, relative = true } | |||
| BORING_BSSL_INCLUDE_PATH = { value = "vendor/boringssl-fips/include/", force = true, relative = true } | |||
| BORING_BSSL_FIPS_PATH = { value = "vendor/boringssl-fips/linux_x86_64", force = true, relative = true } | |||
There was a problem hiding this comment.
| BORING_BSSL_FIPS_PATH = { value = "vendor/boringssl-fips/linux_x86_64", force = true, relative = true } | |
| BORING_BSSL_FIPS_PATH = { value = "vendor/boringssl-fips/linux_x86_64", force = true, relative = true } |
Does this also fix: #399 ?
I haven't checked, but one of the minor annoyances before was we couldn't conditionally set this variable in build.rs per-arch/platform, because boring-sys was doing stuff in its own build.rs that both
A) didn't work with vendoring
B) defeated cargo's "recompute" logic making it impossible to override in our build.rs
which means the build has to sed this for multiarch builds, and those of us on linux_arm64 have to locally munge this file constantly.
There was a problem hiding this comment.
I don't think so unless you buid with ring instead of boring which sidesteps the issue
There was a problem hiding this comment.
Oh I forgot a bit part of this - I am proposing we default Istio builds to ring as well.. that decision can be decoupled from the broader PR though
istio-testing
added
the
needs-rebase
|
Big plus 1 for moving to rustls! |
howardjohn
force-pushed
the
tls/rustls
branch
from
fda4e13 to
55e0860
Compare
istio-testing
removed
the
do-not-merge/work-in-progress
howardjohn
force-pushed
the
tls/rustls
branch
from
55e0860 to
30809fb
Compare
istio-testing
removed
the
needs-rebase
howardjohn
force-pushed
the
tls/rustls
branch
2 times, most recently
from
30dfb3d to
d3794a0
Compare
howardjohn
force-pushed
the
tls/rustls
branch
from
6d16bce to
4878635
Compare
| @@ -25,70 +26,78 @@ name = "throughput" | |||
| harness = false | |||
|
|
|||
| [dependencies] | |||
| http-02 = { package = "http", version = "0.2.9" } | |||
| # Enabled with 'tls-boring' | |||
| boring-rustls-provider = { git = "https://github.com/janrueth/boring-rustls-provider", optional = true } # | |||
There was a problem hiding this comment.
Will this repo actively maintained, and who takes charge
There was a problem hiding this comment.
I am working to get this actively maintained (TBD by who). Note this is an off by default feature; the default Istio builds do not use it.
There was a problem hiding this comment.
It has nothing todo with default or not. Every dependency should be actively maintained. So I get it, you own this crate
| @@ -25,70 +26,78 @@ name = "throughput" | |||
| harness = false | |||
|
|
|||
| [dependencies] | |||
| http-02 = { package = "http", version = "0.2.9" } | |||
| # Enabled with 'tls-boring' | |||
| boring-rustls-provider = { git = "https://github.com/janrueth/boring-rustls-provider", optional = true } # | |||
There was a problem hiding this comment.
It has nothing todo with default or not. Every dependency should be actively maintained. So I get it, you own this crate
This PR moves from usage of
boringas a crypto library and TLS library, to usingrustls. Rustls is the standard TLS library in the rust ecosystem.Rustls offers a pluggable crypto interface. There are ~3 providers (2 in core, 1 external): ring, aws_lc_rs, and boring. The latter two provider FIPS certified builds (though I think aws_lc only has in progress builds);
ringhas no FIPS certified builds though I think they are working towards one. In this model, the TLS aspects (which are a large portion of the code involved) are handled purely by rustls's code, written in safe rust. Just the crypto primitives are offloaded to these various libraries (which are all ultimately varying degrees of openssl forks, as I understand it).This offers a few benefits:
Fixes #797
Fixes #641
Helps with #149
Fixes #110