feat(tls): upgrade to tokio-rustls 0.23 (rustls 0.20) (#859)

tonic/Cargo.toml

@@ -27,7 +27,7 @@ codegen = ["async-trait"]
 compression = ["flate2"]
 default = ["transport", "codegen", "prost"]
 prost = ["prost1", "prost-derive"]
-tls = ["transport", "tokio-rustls"]
+tls = ["rustls-pemfile", "transport", "tokio-rustls"]
 tls-roots = ["tls-roots-common", "rustls-native-certs"]
 tls-roots-common = ["tls"]
 tls-webpki-roots = ["tls-roots-common", "webpki-roots"]
@@ -79,9 +79,10 @@ tower = {version = "0.4.7", features = ["balance", "buffer", "discover", "limit"
 tracing-futures = {version = "0.2", optional = true}
 
 # rustls
-rustls-native-certs = {version = "0.5", optional = true}
-tokio-rustls = {version = "0.22", optional = true}
-webpki-roots = {version = "0.21.1", optional = true}
+rustls-pemfile = { version = "0.2.1", optional = true }
+rustls-native-certs = { version = "0.6.1", optional = true }
+tokio-rustls = { version = "0.23.1", optional = true }
+webpki-roots = { version = "0.22.1", optional = true }
 
 # compression
 flate2 = {version = "1.0", optional = true}

tonic/src/transport/channel/tls.rs

@@ -14,7 +14,6 @@ pub struct ClientTlsConfig {
  domain: Option<String>,
  cert: Option<Certificate>,
  identity: Option<Identity>,
- rustls_raw: Option<tokio_rustls::rustls::ClientConfig>,
 }
 
 #[cfg(feature = "tls")]
@@ -36,7 +35,6 @@ impl ClientTlsConfig {
  domain: None,
  cert: None,
  identity: None,
- rustls_raw: None,
  }
  }
 
@@ -49,8 +47,6 @@ impl ClientTlsConfig {
  }
 
  /// Sets the CA Certificate against which to verify the server's TLS certificate.
- ///
- /// This has no effect if `rustls_client_config` is used to configure Rustls.
  pub fn ca_certificate(self, ca_certificate: Certificate) -> Self {
  ClientTlsConfig {
  cert: Some(ca_certificate),
@@ -59,35 +55,18 @@ impl ClientTlsConfig {
  }
 
  /// Sets the client identity to present to the server.
- ///
- /// This has no effect if `rustls_client_config` is used to configure Rustls.
  pub fn identity(self, identity: Identity) -> Self {
  ClientTlsConfig {
  identity: Some(identity),
  ..self
  }
  }
 
- /// Use options specified by the given `ClientConfig` to configure TLS.
- ///
- /// This overrides all other TLS options set via other means.
- pub fn rustls_client_config(self, config: tokio_rustls::rustls::ClientConfig) -> Self {
- ClientTlsConfig {
- rustls_raw: Some(config),
- ..self
- }
- }
-
  pub(crate) fn tls_connector(&self, uri: Uri) -> Result<TlsConnector, crate::Error> {
  let domain = match &self.domain {
  None => uri.host().ok_or_else(Error::new_invalid_uri)?.to_string(),
  Some(domain) => domain.clone(),
  };
- match &self.rustls_raw {
- None => {
- TlsConnector::new_with_rustls_cert(self.cert.clone(), self.identity.clone(), domain)
- }
- Some(c) => TlsConnector::new_with_rustls_raw(c.clone(), domain),
- }
+ TlsConnector::new(self.cert.clone(), self.identity.clone(), domain)
  }
 }

tonic/src/transport/server/conn.rs

@@ -7,7 +7,7 @@ use crate::transport::Certificate;
 #[cfg(feature = "tls")]
 use std::sync::Arc;
 #[cfg(feature = "tls")]
-use tokio_rustls::{rustls::Session, server::TlsStream};
+use tokio_rustls::server::TlsStream;
 
 /// Trait that connected IO resources implement and use to produce info about the connection.
 ///
@@ -115,10 +115,10 @@ where
  let (inner, session) = self.get_ref();
  let inner = inner.connect_info();
 
- let certs = if let Some(certs) = session.get_peer_certificates() {
+ let certs = if let Some(certs) = session.peer_certificates() {
  let certs = certs
  .into_iter()
- .map(|c| Certificate::from_pem(c.0))
+ .map(|c| Certificate::from_pem(c))
  .collect();
  Some(Arc::new(certs))
  } else {

tonic/src/transport/server/tls.rs

@@ -11,7 +11,6 @@ use std::fmt;
 pub struct ServerTlsConfig {
  identity: Option<Identity>,
  client_ca_root: Option<Certificate>,
- rustls_raw: Option<tokio_rustls::rustls::ServerConfig>,
 }
 
 #[cfg(feature = "tls")]
@@ -28,7 +27,6 @@ impl ServerTlsConfig {
  ServerTlsConfig {
  identity: None,
  client_ca_root: None,
- rustls_raw: None,
  }
  }
 
@@ -48,24 +46,7 @@ impl ServerTlsConfig {
  }
  }
 
- /// Use options specified by the given `ServerConfig` to configure TLS.
- ///
- /// This overrides all other TLS options set via other means.
- pub fn rustls_server_config(
- &mut self,
- config: tokio_rustls::rustls::ServerConfig,
- ) -> &mut Self {
- self.rustls_raw = Some(config);
- self
- }
-
  pub(crate) fn tls_acceptor(&self) -> Result<TlsAcceptor, crate::Error> {
- match &self.rustls_raw {
- None => TlsAcceptor::new_with_rustls_identity(
- self.identity.clone().unwrap(),
- self.client_ca_root.clone(),
- ),
- Some(config) => TlsAcceptor::new_with_rustls_raw(config.clone()),
- }
+ TlsAcceptor::new(self.identity.clone().unwrap(), self.client_ca_root.clone())
  }
 }

tonic/src/transport/service/connector.rs

@@ -3,6 +3,8 @@ use super::io::BoxedIo;
 #[cfg(feature = "tls")]
 use super::tls::TlsConnector;
 use http::Uri;
+#[cfg(feature = "tls-roots-common")]
+use std::convert::TryInto;
 use std::task::{Context, Poll};
 use tower::make::MakeConnection;
 use tower_service::Service;
@@ -39,22 +41,18 @@ impl<C> Connector<C> {
 
  #[cfg(feature = "tls-roots-common")]
  fn tls_or_default(&self, scheme: Option<&str>, host: Option<&str>) -> Option<TlsConnector> {
- use tokio_rustls::webpki::DNSNameRef;
-
  if self.tls.is_some() {
  return self.tls.clone();
  }
 
- match (scheme, host) {
- (Some("https"), Some(host)) => {
- if DNSNameRef::try_from_ascii(host.as_bytes()).is_ok() {
- TlsConnector::new_with_rustls_cert(None, None, host.to_owned()).ok()
- } else {
- None
- }
- }
- _ => None,
- }
+ let host = match (scheme, host) {
+ (Some("https"), Some(host)) => host,
+ _ => return None,
+ };
+
+ host.try_into()
+ .ok()
+ .and_then(|dns| TlsConnector::new(None, None, dns).ok())
  }
 }