-
Notifications
You must be signed in to change notification settings - Fork 893
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lack of support for p521 signatures with the ring
-based reqwest/rustls
backend
#3820
Comments
@djc Can we use
I'm still not very familiar to the subject so please feel free to correct me if I'm wrong. |
reqwest/rustls
backendring
-based reqwest/rustls
backend
Yes -- rustls should support P521 since https://github.com/rustls/rustls/releases/tag/v%2F0.22.2 if we switch to aws-lc-rs. |
@djc (A newbie question:) I tried adding [dependencies]
rustls = { version = "0.22", optional = true, default-features = false, features = ["logging", "aws_lc_rs", "tls12"] } ... to our Am I doing anything wrong, or we need to wait for something like seanmonstar/reqwest#2136? |
@kornelski I think we'll be able to use aws-lc-rs but would still be interested in hearing the reasons that it's used! |
@rami3l reqwest allows configuring the ClientBuilder with a pre-built ClientConfig (of the matching Rustls release), so I think we can build a rustls 0.22 ClientConfig and configure reqwest to use this. |
@djc That's the way to do manual resolution at runtime right? Shouldn't there be a way to simply remove |
Unfortunately it doesn't look like that exists in reqwest right now. Let's see if I can move that forward. |
In WARP, the p521 curve has been chosen as the best algorithm with FIPS compliance. The p521 signature is necessary "only" to validate the root CA certificate used by WARP MITM. At the same time this is the hardest thing to change in this setup, so it's very unlikely to be changed anytime soon. |
@kornelski but in terms of impact: this specifically impacts Cloudflare's WARP deployment, right, not the default deployment one would get when setting up WARP for their organization? (I revised seanmonstar/reqwest#2225 yesterday to try to make progress on this.) |
It impacts more than just internal Cloudflare deployment. Customers have an option to upload their own CA cert (which can use any signature algorithm), but if they don't, the default Cloudflare cert is used. I don't have data on how many deployments use the incompatible cert. |
@djc Oops, looks like seanmonstar/reqwest#2225 has been rejected? Should we resolve |
I don't think we'll need to support both aws-lc-rs and ring in rustup. I think we should use reqwest's |
@djc There's still hope that we might remove |
There's a bunch of dead-code elimination at several stages, it's possible that ring stuff gets removed at some point anyway if we avoid using it in practice. |
Update: Actually #3898 is no longer depending on |
@kornelski Would you mind helping us confirm whether #3898 has worked for you? You might be able to download the test builds from https://github.com/rust-lang/rustup/actions/runs/10192459718 (behind GitHub's login wall). |
@rami3l Yes, it works for me with aws_lc_rs. Thank you! |
Originally posted by @kornelski in #3806 (comment)
The text was updated successfully, but these errors were encountered: