feat(tls): upgrade to tokio-rustls 0.23 (rustls 0.20) (#859)

Author: djc

tonic/Cargo.toml

@@ -27,7 +27,7 @@ codegen = ["async-trait"]
 compression = ["flate2"]
 default = ["transport", "codegen", "prost"]
 prost = ["prost1", "prost-derive"]
-tls = ["transport", "tokio-rustls"]
+tls = ["rustls-pemfile", "transport", "tokio-rustls"]
 tls-roots = ["tls-roots-common", "rustls-native-certs"]
 tls-roots-common = ["tls"]
 tls-webpki-roots = ["tls-roots-common", "webpki-roots"]
@@ -79,9 +79,10 @@ tower = {version = "0.4.7", features = ["balance", "buffer", "discover", "limit"
 tracing-futures = {version = "0.2", optional = true}
 
 # rustls
-rustls-native-certs = {version = "0.5", optional = true}
-tokio-rustls = {version = "0.22", optional = true}
-webpki-roots = {version = "0.21.1", optional = true}
+rustls-pemfile = { version = "0.2.1", optional = true }
+rustls-native-certs = { version = "0.6.1", optional = true }
+tokio-rustls = { version = "0.23.1", optional = true }
+webpki-roots = { version = "0.22.1", optional = true }
 
 # compression
 flate2 = {version = "1.0", optional = true}

tonic/src/transport/channel/tls.rs

@@ -14,7 +14,6 @@ pub struct ClientTlsConfig {
     domain: Option<String>,
     cert: Option<Certificate>,
     identity: Option<Identity>,
-    rustls_raw: Option<tokio_rustls::rustls::ClientConfig>,
 }
 
 #[cfg(feature = "tls")]
@@ -36,7 +35,6 @@ impl ClientTlsConfig {
             domain: None,
             cert: None,
             identity: None,
-            rustls_raw: None,
         }
     }
 
@@ -49,8 +47,6 @@ impl ClientTlsConfig {
     }
 
     /// Sets the CA Certificate against which to verify the server's TLS certificate.
-    ///
-    /// This has no effect if `rustls_client_config` is used to configure Rustls.
     pub fn ca_certificate(self, ca_certificate: Certificate) -> Self {
         ClientTlsConfig {
             cert: Some(ca_certificate),
@@ -59,35 +55,18 @@ impl ClientTlsConfig {
     }
 
     /// Sets the client identity to present to the server.
-    ///
-    /// This has no effect if `rustls_client_config` is used to configure Rustls.
     pub fn identity(self, identity: Identity) -> Self {
         ClientTlsConfig {
             identity: Some(identity),
             ..self
         }
     }
 
-    /// Use options specified by the given `ClientConfig` to configure TLS.
-    ///
-    /// This overrides all other TLS options set via other means.
-    pub fn rustls_client_config(self, config: tokio_rustls::rustls::ClientConfig) -> Self {
-        ClientTlsConfig {
-            rustls_raw: Some(config),
-            ..self
-        }
-    }
-
     pub(crate) fn tls_connector(&self, uri: Uri) -> Result<TlsConnector, crate::Error> {
         let domain = match &self.domain {
             None => uri.host().ok_or_else(Error::new_invalid_uri)?.to_string(),
             Some(domain) => domain.clone(),
         };
-        match &self.rustls_raw {
-            None => {
-                TlsConnector::new_with_rustls_cert(self.cert.clone(), self.identity.clone(), domain)
-            }
-            Some(c) => TlsConnector::new_with_rustls_raw(c.clone(), domain),
-        }
+        TlsConnector::new(self.cert.clone(), self.identity.clone(), domain)
     }
 }

tonic/src/transport/server/conn.rs

@@ -7,7 +7,7 @@ use crate::transport::Certificate;
 #[cfg(feature = "tls")]
 use std::sync::Arc;
 #[cfg(feature = "tls")]
-use tokio_rustls::{rustls::Session, server::TlsStream};
+use tokio_rustls::server::TlsStream;
 
 /// Trait that connected IO resources implement and use to produce info about the connection.
 ///
@@ -115,10 +115,10 @@ where
         let (inner, session) = self.get_ref();
         let inner = inner.connect_info();
 
-        let certs = if let Some(certs) = session.get_peer_certificates() {
+        let certs = if let Some(certs) = session.peer_certificates() {
             let certs = certs
                 .into_iter()
-                .map(|c| Certificate::from_pem(c.0))
+                .map(|c| Certificate::from_pem(c))
                 .collect();
             Some(Arc::new(certs))
         } else {

tonic/src/transport/server/tls.rs

@@ -11,7 +11,6 @@ use std::fmt;
 pub struct ServerTlsConfig {
     identity: Option<Identity>,
     client_ca_root: Option<Certificate>,
-    rustls_raw: Option<tokio_rustls::rustls::ServerConfig>,
 }
 
 #[cfg(feature = "tls")]
@@ -28,7 +27,6 @@ impl ServerTlsConfig {
         ServerTlsConfig {
             identity: None,
             client_ca_root: None,
-            rustls_raw: None,
         }
     }
 
@@ -48,24 +46,7 @@ impl ServerTlsConfig {
         }
     }
 
-    /// Use options specified by the given `ServerConfig` to configure TLS.
-    ///
-    /// This overrides all other TLS options set via other means.
-    pub fn rustls_server_config(
-        &mut self,
-        config: tokio_rustls::rustls::ServerConfig,
-    ) -> &mut Self {
-        self.rustls_raw = Some(config);
-        self
-    }
-
     pub(crate) fn tls_acceptor(&self) -> Result<TlsAcceptor, crate::Error> {
-        match &self.rustls_raw {
-            None => TlsAcceptor::new_with_rustls_identity(
-                self.identity.clone().unwrap(),
-                self.client_ca_root.clone(),
-            ),
-            Some(config) => TlsAcceptor::new_with_rustls_raw(config.clone()),
-        }
+        TlsAcceptor::new(self.identity.clone().unwrap(), self.client_ca_root.clone())
     }
 }

tonic/src/transport/service/connector.rs

@@ -3,6 +3,8 @@ use super::io::BoxedIo;
 #[cfg(feature = "tls")]
 use super::tls::TlsConnector;
 use http::Uri;
+#[cfg(feature = "tls-roots-common")]
+use std::convert::TryInto;
 use std::task::{Context, Poll};
 use tower::make::MakeConnection;
 use tower_service::Service;
@@ -39,22 +41,18 @@ impl<C> Connector<C> {
 
     #[cfg(feature = "tls-roots-common")]
     fn tls_or_default(&self, scheme: Option<&str>, host: Option<&str>) -> Option<TlsConnector> {
-        use tokio_rustls::webpki::DNSNameRef;
-
         if self.tls.is_some() {
             return self.tls.clone();
         }
 
-        match (scheme, host) {
-            (Some("https"), Some(host)) => {
-                if DNSNameRef::try_from_ascii(host.as_bytes()).is_ok() {
-                    TlsConnector::new_with_rustls_cert(None, None, host.to_owned()).ok()
-                } else {
-                    None
-                }
-            }
-            _ => None,
-        }
+        let host = match (scheme, host) {
+            (Some("https"), Some(host)) => host,
+            _ => return None,
+        };
+
+        host.try_into()
+            .ok()
+            .and_then(|dns| TlsConnector::new(None, None, dns).ok())
     }
 }