From 512f220f42ae3aa37536db734717998dcb128063 Mon Sep 17 00:00:00 2001 From: Satyam Singh Date: Wed, 28 Sep 2022 19:19:47 +0530 Subject: [PATCH] Use rustls instead of openssl Use rustls instead of openssl. This involves switching out openssl feature for rustls in actix web. This commit introduces no addtional breaking changes in how keys are registered with actix, so they should work as before. --- server/Cargo.toml | 5 +++-- server/src/main.rs | 39 +++++++++++++++++++++++++++++++-------- 2 files changed, 34 insertions(+), 10 deletions(-) diff --git a/server/Cargo.toml b/server/Cargo.toml index cdb125071..90b2c40aa 100644 --- a/server/Cargo.toml +++ b/server/Cargo.toml @@ -10,7 +10,7 @@ categories = ["olap", "analytics-store"] [dependencies] actix-web-httpauth = "0.6" -actix-web = { version = "4.1", features = ["openssl"] } +actix-web = { version = "4.1", features = ["rustls"] } actix-cors = "0.6" actix-files = "0.6.1" anyhow = { version = "1.0.43", features = ["backtrace"] } @@ -30,10 +30,11 @@ http = "0.2.4" lazy_static = "1.4.0" log = "0.4.14" num_cpus = "1.0.0" -openssl = { version = "0.10" } os_info = "3.0.7" hostname = "0.3" rand = "0.8.4" +rustls = "0.20.6" +rustls-pemfile = "1.0.1" rust-flatten-json = "0.2.0" semver = "1.0.14" serde = "^1.0.8" diff --git a/server/src/main.rs b/server/src/main.rs index 3730b3b2f..cd5df458d 100644 --- a/server/src/main.rs +++ b/server/src/main.rs @@ -26,12 +26,14 @@ use chrono::{DateTime, NaiveDateTime, Timelike, Utc}; use clokwerk::{AsyncScheduler, Scheduler, TimeUnits}; use filetime::FileTime; use log::warn; -use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod}; +use rustls::{Certificate, PrivateKey, ServerConfig}; +use rustls_pemfile::{certs, pkcs8_private_keys}; use thread_priority::{ThreadBuilder, ThreadPriority}; include!(concat!(env!("OUT_DIR"), "/generated.rs")); -use std::fs; +use std::fs::{self, File}; +use std::io::BufReader; use std::panic::{catch_unwind, AssertUnwindSafe}; use std::path::Path; use std::thread::{self, JoinHandle}; @@ -274,19 +276,40 @@ async fn run_http() -> anyhow::Result<()> { &CONFIG.parseable.tls_key_path, ) { (Some(cert), Some(key)) => { - let mut builder = SslAcceptor::mozilla_intermediate(SslMethod::tls())?; - builder.set_private_key_file(key, SslFiletype::PEM)?; - builder.set_certificate_chain_file(cert)?; - Some(builder) + // init server config builder with safe defaults + let config = ServerConfig::builder() + .with_safe_defaults() + .with_no_client_auth(); + + // load TLS key/cert files + let cert_file = &mut BufReader::new(File::open(cert)?); + let key_file = &mut BufReader::new(File::open(key)?); + + // convert files to key/cert objects + let cert_chain = certs(cert_file)?.into_iter().map(Certificate).collect(); + + let mut keys: Vec = pkcs8_private_keys(key_file)? + .into_iter() + .map(PrivateKey) + .collect(); + + // exit if no keys could be parsed + if keys.is_empty() { + anyhow::bail!("Could not locate PKCS 8 private keys."); + } + + let server_config = config.with_single_cert(cert_chain, keys.remove(0))?; + + Some(server_config) } (_, _) => None, }; // concurrent workers equal to number of cores on the cpu let http_server = HttpServer::new(move || create_app!()).workers(num_cpus::get()); - if let Some(builder) = ssl_acceptor { + if let Some(config) = ssl_acceptor { http_server - .bind_openssl(&CONFIG.parseable.address, builder)? + .bind_rustls(&CONFIG.parseable.address, config)? .run() .await?; } else {