New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggestion: Upgrade to rustls 0.22 and don't use its default-features #2136
Comments
Does it work with default features disabled? What happens if we do that? |
If the feature is disabled then there is no It seems All of which induce a lot of breaking changes for us, but could possible be mitigated when passed on to user facing API. |
Even if you don't disable default features, upgrading to rustls 0.22 would be very useful. I work on a large project where we finally removed dependencies on rustls 0.18 and 0.19 and tokio 0.2 but now we have rustls 0.21 and 0.22. Having just one version would be a great for compilation time and binary size. Reqwest is one of the last libraries we're waiting for. |
I don't think it makes sense for reqwest not to pick one of rustls' crypto providers as the default. rustls 0.23 has made aws-lc-rs the default (which is a little controversial because aws-lc-rs depends on a bunch of C code, whereas ring has focused more on moving code into Rust) so it could make sense to match that default. |
@djc At any rate, I feel this issue(and the ones it entails) deserves a spot in the roadmap, at least. @seanmonstar If you know when you'd wish this to take place in semver timelines, I can make a PR that will at the least upgrade the relevant crates. |
IME aws-lc-rs takes more time to compile than ring does, and it also needs a bunch more tooling installed. |
I have historically opted to use |
Why couldn't we allow the (Edited to make my comment clearer) |
I think this already works: https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.use_preconfigured_tls |
Gentle ping. Is there any chance to move to rustls 0.23 and drop the dependency on ring? uv uses reqwest, and because of extremely bad platform support in ring, we can't use it on most platforms. |
@mgorny ring gained a lot of platform support recently, I don't believe there's many platforms left that aren't supported. |
One of the most groundbreaking changes of the 0.22 release of rustls is the separation of the 'ring' crate into a feature and allowing for custom cryptography providers.
This is one of the heaviest crates to compile, and while it is still widely used in most cases, in my opinion, the reqwest crate should allow an opt-out.
I suggest that while upgrading to 0.22, we add "default-features=false" to rustls and add a "ring" feature that will propagate to rustls.
This feature can be in reqwest's default features, which will still allow users to manually opt out of it.
Note that the reason rustls is not automatically upgraded and I open this issue is that reqwest demands the "dangerous_configuration" feature which no longer exists on 0.22, rendering cargo unable to resolve this dependency.
The functionalities enabled by this feature are now always available, under the "danger" module.
This is possibly breaking for users who use reqwest without default features enabled, and I feel should be marked for the 0.12 release.
Let me know your thoughts.
The text was updated successfully, but these errors were encountered: