actix/actix-web
1
0
Fork 0
mirror of https://github.com/fafhrd91/actix-web synced 2025-06-26 06:57:43 +02:00
Code Issues Releases Wiki Activity

Actix Web Rustls v0.21 support (#3116)

Browse Source
This commit is contained in:
Rob Ede
2023-08-29 01:11:11 +01:00
committed by GitHub
parent cbf5e948db
commit 905c30af86
23 changed files with 382 additions and 124 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
awc/CHANGES.md
View File

@ -2,6 +2,8 @@
## Unreleased - 2023-xx-xx
- Add `awc::Connector::rustls_021()` method for Rustls v0.21 support behind new `rustls-0_21` crate feature.
- Add `rustls-0_20` crate feature, which the existing `rustls` feature now aliases.
- Minimum supported Rust version (MSRV) is now 1.68 due to transitive `time` dependency.
## 3.1.1 - 2023-02-26

27
awc/Cargo.toml
View File

@ -21,16 +21,20 @@ path = "src/lib.rs"
[package.metadata.docs.rs]
# features that docs.rs will build with
features = ["openssl", "rustls", "compress-brotli", "compress-gzip", "compress-zstd", "cookies"]
features = ["openssl", "rustls-0_20", "rustls-0_21", "compress-brotli", "compress-gzip", "compress-zstd", "cookies"]
[features]
default = ["compress-brotli", "compress-gzip", "compress-zstd", "cookies"]
# openssl
# TLS via OpenSSL
openssl = ["tls-openssl", "actix-tls/openssl"]
# rustls
rustls = ["tls-rustls", "actix-tls/rustls"]
# TLS via Rustls v0.20
rustls = ["rustls-0_20"]
# TLS via Rustls v0.20
rustls-0_20 = ["tls-rustls-0_20", "actix-tls/rustls-0_20"]
# TLS via Rustls v0.21
rustls-0_21 = ["tls-rustls-0_21", "actix-tls/rustls-0_21"]
# Brotli algorithm content-encoding support
compress-brotli = ["actix-http/compress-brotli", "__compress"]
@ -39,10 +43,10 @@ compress-gzip = ["actix-http/compress-gzip", "__compress"]
# Zstd algorithm content-encoding support
compress-zstd = ["actix-http/compress-zstd", "__compress"]
# cookie parsing and cookie jar
# Cookie parsing and cookie jar
cookies = ["cookie"]
# trust-dns as dns resolver
# Use `trust-dns-resolver` crate as DNS resolver
trust-dns = ["trust-dns-resolver"]
# Internal (PRIVATE!) features used to aid testing and checking feature status.
@ -59,7 +63,7 @@ actix-codec = "0.5"
actix-service = "2"
actix-http = { version = "3.3", features = ["http2", "ws"] }
actix-rt = { version = "2.1", default-features = false }
actix-tls = { version = "3", features = ["connect", "uri"] }
actix-tls = { version = "3.1", features = ["connect", "uri"] }
actix-utils = "3"
base64 = "0.21"
@ -84,7 +88,8 @@ tokio = { version = "1.24.2", features = ["sync"] }
cookie = { version = "0.16", features = ["percent-encode"], optional = true }
tls-openssl = { package = "openssl", version = "0.10.55", optional = true }
tls-rustls = { package = "rustls", version = "0.20", optional = true, features = ["dangerous_configuration"] }
tls-rustls-0_20 = { package = "rustls", version = "0.20", optional = true, features = ["dangerous_configuration"] }
tls-rustls-0_21 = { package = "rustls", version = "0.21", optional = true, features = ["dangerous_configuration"] }
trust-dns-resolver = { version = "0.22", optional = true }
@ -92,8 +97,8 @@ trust-dns-resolver = { version = "0.22", optional = true }
actix-http = { version = "3", features = ["openssl"] }
actix-http-test = { version = "3", features = ["openssl"] }
actix-server = "2"
actix-test = { version = "0.1", features = ["openssl", "rustls"] }
actix-tls = { version = "3", features = ["openssl", "rustls"] }
actix-test = { version = "0.1", features = ["openssl", "rustls-0_21"] }
actix-tls = { version = "3", features = ["openssl", "rustls-0_21"] }
actix-utils = "3"
actix-web = { version = "4", features = ["openssl"] }
@ -110,4 +115,4 @@ zstd = "0.12"
[[example]]
name = "client"
required-features = ["rustls"]
required-features = ["rustls-0_21"]

167
awc/src/client/connector.rs
View File

@ -43,20 +43,22 @@ enum OurTlsConnector {
#[allow(dead_code)] // false positive; used in build_ssl
OpensslBuilder(actix_tls::connect::openssl::reexports::SslConnectorBuilder),
#[cfg(feature = "rustls")]
Rustls(std::sync::Arc<actix_tls::connect::rustls::reexports::ClientConfig>),
#[cfg(feature = "rustls-0_20")]
Rustls020(std::sync::Arc<actix_tls::connect::rustls_0_20::reexports::ClientConfig>),
#[cfg(feature = "rustls-0_21")]
Rustls021(std::sync::Arc<actix_tls::connect::rustls_0_21::reexports::ClientConfig>),
}
/// Manages HTTP client network connectivity.
///
/// The `Connector` type uses a builder-like combinator pattern for service
/// construction that finishes by calling the `.finish()` method.
/// The `Connector` type uses a builder-like combinator pattern for service construction that
/// finishes by calling the `.finish()` method.
///
/// ```ignore
/// ```no_run
/// use std::time::Duration;
/// use actix_http::client::Connector;
///
/// let connector = Connector::new()
/// let connector = awc::Connector::new()
/// .timeout(Duration::from_secs(5))
/// .finish();
/// ```
@ -80,22 +82,22 @@ impl Connector<()> {
Connector {
connector: TcpConnector::new(resolver::resolver()).service(),
config: ConnectorConfig::default(),
tls: Self::build_ssl(vec![b"h2".to_vec(), b"http/1.1".to_vec()]),
tls: Self::build_tls(vec![b"h2".to_vec(), b"http/1.1".to_vec()]),
}
}
/// Provides an empty TLS connector when no TLS feature is enabled.
#[cfg(not(any(feature = "openssl", feature = "rustls")))]
fn build_ssl(_: Vec<Vec<u8>>) -> OurTlsConnector {
#[cfg(not(any(feature = "openssl", feature = "rustls-0_20", feature = "rustls-0_21")))]
fn build_tls(_: Vec<Vec<u8>>) -> OurTlsConnector {
OurTlsConnector::None
}
/// Build TLS connector with rustls, based on supplied ALPN protocols
/// Build TLS connector with Rustls v0.21, based on supplied ALPN protocols
///
/// Note that if both `openssl` and `rustls` features are enabled, rustls will be used.
#[cfg(feature = "rustls")]
fn build_ssl(protocols: Vec<Vec<u8>>) -> OurTlsConnector {
use actix_tls::connect::rustls::{reexports::ClientConfig, webpki_roots_cert_store};
/// Note that if other TLS crate features are enabled, Rustls v0.21 will be used.
#[cfg(feature = "rustls-0_21")]
fn build_tls(protocols: Vec<Vec<u8>>) -> OurTlsConnector {
use actix_tls::connect::rustls_0_21::{reexports::ClientConfig, webpki_roots_cert_store};
let mut config = ClientConfig::builder()
.with_safe_defaults()
@ -104,12 +106,55 @@ impl Connector<()> {
config.alpn_protocols = protocols;
OurTlsConnector::Rustls(std::sync::Arc::new(config))
OurTlsConnector::Rustls021(std::sync::Arc::new(config))
}
/// Build TLS connector with openssl, based on supplied ALPN protocols
#[cfg(all(feature = "openssl", not(feature = "rustls")))]
fn build_ssl(protocols: Vec<Vec<u8>>) -> OurTlsConnector {
/// Build TLS connector with Rustls v0.21, based on supplied ALPN protocols
///
/// Note that if other TLS crate features are enabled, Rustls v0.21 will be used.
#[cfg(all(
all(feature = "rustls-0_20", feature = "openssl"),
not(feature = "rustls-0_21"),
))]
fn build_tls(protocols: Vec<Vec<u8>>) -> OurTlsConnector {
use actix_tls::connect::rustls_0_20::{reexports::ClientConfig, webpki_roots_cert_store};
let mut config = ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(webpki_roots_cert_store())
.with_no_client_auth();
config.alpn_protocols = protocols;
OurTlsConnector::Rustls020(std::sync::Arc::new(config))
}
/// Build TLS connector with Rustls v0.20, based on supplied ALPN protocols
///
/// Note that if other TLS crate features are enabled, Rustls v0.21 will be used.
#[cfg(all(
feature = "rustls-0_20",
not(any(feature = "rustls-0_21", feature = "openssl")),
))]
fn build_tls(protocols: Vec<Vec<u8>>) -> OurTlsConnector {
use actix_tls::connect::rustls_0_20::{reexports::ClientConfig, webpki_roots_cert_store};
let mut config = ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(webpki_roots_cert_store())
.with_no_client_auth();
config.alpn_protocols = protocols;
OurTlsConnector::Rustls020(std::sync::Arc::new(config))
}
/// Build TLS connector with OpenSSL, based on supplied ALPN protocols
#[cfg(all(
feature = "openssl",
not(any(feature = "rustls-0_20", feature = "rustls-0_21")),
))]
fn build_tls(protocols: Vec<Vec<u8>>) -> OurTlsConnector {
use actix_tls::connect::openssl::reexports::{SslConnector, SslMethod};
use bytes::{BufMut, BytesMut};
@ -129,7 +174,7 @@ impl Connector<()> {
}
impl<S> Connector<S> {
/// Use custom connector.
/// Sets custom connector.
pub fn connector<S1, Io1>(self, connector: S1) -> Connector<S1>
where
Io1: ActixStream + fmt::Debug + 'static,
@ -158,21 +203,28 @@ where
+ Clone
+ 'static,
{
/// Tcp connection timeout, i.e. max time to connect to remote host including dns name
/// resolution. Set to 5 second by default.
/// Sets TCP connection timeout.
///
/// This is the max time allowed to connect to remote host, including DNS name resolution.
///
/// By default, the timeout is 5 seconds.
pub fn timeout(mut self, timeout: Duration) -> Self {
self.config.timeout = timeout;
self
}
/// Tls handshake timeout, i.e. max time to do tls handshake with remote host after tcp
/// connection established. Set to 5 second by default.
/// Sets TLS handshake timeout.
///
/// This is the max time allowed to perform the TLS handshake with remote host after TCP
/// connection is established.
///
/// By default, the timeout is 5 seconds.
pub fn handshake_timeout(mut self, timeout: Duration) -> Self {
self.config.handshake_timeout = timeout;
self
}
/// Use custom OpenSSL `SslConnector` instance.
/// Sets custom OpenSSL `SslConnector` instance.
#[cfg(feature = "openssl")]
pub fn openssl(
mut self,
@ -191,13 +243,23 @@ where
self
}
/// Use custom Rustls `ClientConfig` instance.
#[cfg(feature = "rustls")]
/// Sets custom Rustls v0.20 `ClientConfig` instance.
#[cfg(feature = "rustls-0_20")]
pub fn rustls(
mut self,
connector: std::sync::Arc<actix_tls::connect::rustls::reexports::ClientConfig>,
connector: std::sync::Arc<actix_tls::connect::rustls_0_20::reexports::ClientConfig>,
) -> Self {
self.tls = OurTlsConnector::Rustls(connector);
self.tls = OurTlsConnector::Rustls020(connector);
self
}
/// Sets custom Rustls v0.21 `ClientConfig` instance.
#[cfg(feature = "rustls-0_21")]
pub fn rustls_021(
mut self,
connector: std::sync::Arc<actix_tls::connect::rustls_0_21::reexports::ClientConfig>,
) -> Self {
self.tls = OurTlsConnector::Rustls021(connector);
self
}
@ -212,12 +274,12 @@ where
unimplemented!("actix-http client only supports versions http/1.1 & http/2")
}
};
self.tls = Connector::build_ssl(versions);
self.tls = Connector::build_tls(versions);
self
}
/// Sets the initial window size (in octets) for HTTP/2 stream-level flow control for
/// received data.
/// Sets the initial window size (in bytes) for HTTP/2 stream-level flow control for received
/// data.
///
/// The default value is 65,535 and is good for APIs, but not for big objects.
pub fn initial_window_size(mut self, size: u32) -> Self {
@ -225,7 +287,7 @@ where
self
}
/// Sets the initial window size (in octets) for HTTP/2 connection-level flow control for
/// Sets the initial window size (in bytes) for HTTP/2 connection-level flow control for
/// received data.
///
/// The default value is 65,535 and is good for APIs, but not for big objects.
@ -405,11 +467,44 @@ where
unreachable!("OpenSSL builder is built before this match.");
}
#[cfg(feature = "rustls")]
OurTlsConnector::Rustls(tls) => {
#[cfg(feature = "rustls-0_20")]
OurTlsConnector::Rustls020(tls) => {
const H2: &[u8] = b"h2";
use actix_tls::connect::rustls::{reexports::AsyncTlsStream, TlsConnector};
use actix_tls::connect::rustls_0_20::{reexports::AsyncTlsStream, TlsConnector};
impl<Io: ConnectionIo> IntoConnectionIo for TcpConnection<Uri, AsyncTlsStream<Io>> {
fn into_connection_io(self) -> (Box<dyn ConnectionIo>, Protocol) {
let sock = self.into_parts().0;
let h2 = sock
.get_ref()
.1
.alpn_protocol()
.map_or(false, |protos| protos.windows(2).any(|w| w == H2));
if h2 {
(Box::new(sock), Protocol::Http2)
} else {
(Box::new(sock), Protocol::Http1)
}
}
}
let handshake_timeout = self.config.handshake_timeout;
let tls_service = TlsConnectorService {
tcp_service: tcp_service_inner,
tls_service: TlsConnector::service(tls),
timeout: handshake_timeout,
};
Some(actix_service::boxed::rc_service(tls_service))
}
#[cfg(feature = "rustls-0_21")]
OurTlsConnector::Rustls021(tls) => {
const H2: &[u8] = b"h2";
use actix_tls::connect::rustls_0_21::{reexports::AsyncTlsStream, TlsConnector};
impl<Io: ConnectionIo> IntoConnectionIo for TcpConnection<Uri, AsyncTlsStream<Io>> {
fn into_connection_io(self) -> (Box<dyn ConnectionIo>, Protocol) {

10
awc/tests/test_rustls_client.rs
View File

@ -1,6 +1,6 @@
#![cfg(feature = "rustls")]
#![cfg(feature = "rustls-0_21")]
extern crate tls_rustls as rustls;
extern crate tls_rustls_0_21 as rustls;
use std::{
io::BufReader,
@ -14,7 +14,7 @@ use std::{
use actix_http::HttpService;
use actix_http_test::test_server;
use actix_service::{fn_service, map_config, ServiceFactoryExt};
use actix_tls::connect::rustls::webpki_roots_cert_store;
use actix_tls::connect::rustls_0_21::webpki_roots_cert_store;
use actix_utils::future::ok;
use actix_web::{dev::AppConfig, http::Version, web, App, HttpResponse};
use rustls::{
@ -82,7 +82,7 @@ async fn test_connection_reuse_h2() {
App::new().service(web::resource("/").route(web::to(HttpResponse::Ok))),
|_| AppConfig::default(),
))
.rustls(tls_config())
.rustls_021(tls_config())
.map_err(|_| ()),
)
})
@ -102,7 +102,7 @@ async fn test_connection_reuse_h2() {
.set_certificate_verifier(Arc::new(danger::NoCertificateVerification));
let client = awc::Client::builder()
.connector(awc::Connector::new().rustls(Arc::new(config)))
.connector(awc::Connector::new().rustls_021(Arc::new(config)))
.finish();
// req 1