RUST-1083 Add openssl as an optional TLS provider #590
Conversation
|
|
||
| fn init_trust() { | ||
| static ONCE: Once = Once::new(); | ||
| ONCE.call_once(openssl_probe::init_ssl_cert_env_vars); |
There was a problem hiding this comment.
It turns out that openssl finds the local root certs via environment variables; openssl_probe knows where to look for various OSes and sets those appropriately if they're not already set.
Cargo.toml
Outdated
| os_info = { version = "3.0.1", default-features = false } | ||
| percent-encoding = "2.0.0" | ||
| rand = { version = "0.8.3", features = ["small_rng"] } | ||
| rustls-pemfile = "0.2.1" | ||
| rustls-pemfile = "0.2.1" |
There was a problem hiding this comment.
nit: can we revert this extra spacing
src/error.rs
Outdated
| /// Wrapper around [`openssl::ssl::Error`]. | ||
| #[cfg(feature = "openssl-tls")] | ||
| #[error("{0}")] | ||
| OpenSSL(Arc<openssl::ssl::Error>), |
There was a problem hiding this comment.
I think we should be cautious about introducing types from pre-1.0 crates in our public API -- maybe we should implement this similarly to the way we implement our DnsResolve error type (i.e. wrap a to_string call on the error)?
There was a problem hiding this comment.
Good catch, fixed. I folded this into the existing Authentication error type rather than introduce a new one.
|
Please hold off for a bit - looks like I need to figure out how to install openssl on windows. |
abr-egn
force-pushed
the
RUST-1083/openssl-tls
branch
2 times, most recently
from
c87ad16 to
b720535
Compare
|
Okay, good to go. |
abr-egn
force-pushed
the
RUST-1083/openssl-tls
branch
from
3fd7c8e to
623483a
Compare
RUST-1083
This adds the
openssl-tlsfeature, which enables TLS connections via openssl rather than rustls. In service of that, I refactored the TLS-handling code into its own module which is conditionally renamed based on the feature flag, making conditional surface area minimal.Unfortunately, for backwards compatibility rustls can't be made optional, so it's still linked in even when it's not used.
The evergreen auth tests have been updated to run against both TLS crates; in the process of doing that I discovered that the tests previously were ignoring the runtime variable, so I picked that up as well.