Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Use rustls, remove dependency on OpenSSL #229

Closed
wants to merge 1 commit into from
Closed

chore: Use rustls, remove dependency on OpenSSL #229

wants to merge 1 commit into from

Conversation

vadorovsky
Copy link
Member

@vadorovsky vadorovsky commented Dec 1, 2023
edited
Loading

ring 0.17 supports RISC-V, so building Pulsar with rustls instead of OpenSSL is possible.

Choice of the TLS library is exposed by the following features in the smtp-notifier crate:

  • native-tls - uses the native TLS library in the system, usually OpenSSL. Enabled by default.
  • boring-tls - uses BoringSSL. Disabled by default.
  • rustls-tls - uses rustls. Disabled by default.

When building Pulsar with Cargo, the native TLS is going to be used.

However, for binary builds for Github releases, rustls is being used, since it's always statically built and doesn't require any runtime dependencies from the users.

@banditopazzo
Copy link
Member

this is a very delicate issue.

I understand that there are valid reasons to use rustls over openssl because of some advantages; the biggest point it's that is simpler to integrate in a rust project and another could be that it's a modern, safer tls implementation compared to openssl; or one could argue that openssl had many cves in the recent years.

while this are truly good points openssl is by far the most used and battle tested cryptographic library and fundamental component of every system. For a native installation a dependency on shared openssl system library is probably better, but I could be wrong.

what I think instead is that we could support both and let the user or the packager choose

@vadorovsky
Copy link
Member Author

@banditopazzo Sure, I'm fine with giving a choice. But I would be still inclined to use rustls for official container images, so we don't have to install libssl-dev.

@vadorovsky vadorovsky force-pushed the rustls branch 15 times, most recently from 10515e9 to 1b09c30 Compare December 18, 2023 20:18
@vadorovsky
chore: Allow to build with rustls
b23b31d 
ring 0.17 supports RISC-V, so building Pulsar with rustls instead
of OpenSSL is possible.

Choice of the TLS library is exposed by the following features
in the `smtp-notifier` crate:

* `native-tls` - uses the native TLS library in the system, usually
  OpenSSL. Enabled by default.
* `boring-tls` - uses BoringSSL. Disabled by default.
* `rustls-tls` - uses rustls. Disabled by default.

When building Pulsar with Cargo, the native TLS is going to be used.

However, for binary builds for Github releases, rustls is being
used, since it's always statically built and doesn't require any
runtime dependencies from the users.
@vadorovsky
Copy link
Member Author

Superseeded by #278, this PR has too much mess

@vadorovsky vadorovsky closed this Apr 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vadorovsky @banditopazzo