Use rustls as an TLS engine

[sagebind]

Offer rustls as an optional TLS engine. The default behavior will remain to use the system-native TLS engine, but users should be able to opt-in to using rustls just with crate features.

Remaining work:

• Land rustls TLS backend selection in upstream curl crate.
  • Offer rustls as an optional TLS engine alexcrichton/curl-rust#341
  • Add experimental rustls support #309
• Add support for CURLOPT_CAINFO_BLOB to rustls backend in curl. Support merged, waiting for curl 7.82.0 release on 2022-03-02.
  • rustls: CURLOPT_CAINFO_BLOB support curl/curl#8255
• Add crate feature to add system trusted root certificates to requests automatically. This depends on CURLOPT_CAINFO_BLOB support since root certs aren't available as PEM files by default on all operating systems, so we can't simply use CURLOPT_CAINFO.
  • Load system trusted root certs for rustls #369
• Stabilize feature as rustls-tls. This will be available in the upcoming 2.0 release.

[xy137]

has there been any progress on this?

[sagebind]

Nope, not yet, but there's an upstream issue to add support for it in the curl crate here: alexcrichton/curl-rust#341

[suptejas]

Would really love this - this would make for a great performance improvement!

[sagebind]

The first step for this has at long last landed, as the upstream curl crate now has a rustls crate feature: alexcrichton/curl-rust#341.

Our work on Isahc's end is not finished though, as rustls does not use the operating system's trusted root certificates by default which is going to be an expected feature for Isahc (though potientially behind a separate crate feature). I'll keep the list of remaining tasks up-to-date in the issue description from here on out for more granular tracking.

In the meantime, you can now enable the unstable-rustls-tls crate feature on Isahc if you pull from the latest Git commit to start using rustls, though I expect there to be some rough edges at the moment.

[sagebind]

Adding "breaking" label to this, since the way Isahc 1.0 is configured, the native TLS engine is always enabled with no way of opting-out. We need to offer rustls and the native TLS engines as separate features that can be enabled or disabled, which is a breaking change.

2.0 is likely going to be a soon(ish) release anyway (a few months away probably) so seems like a good time to make rustls support part of that effort.

[seanpianka]

Hello, is there a tracking issue for the 2.0 release? I am looking forward to seeing this feature-flag stabilized. Thanks!

[sagebind]

There is no tracking issue, but there's a milestone here: https://github.com/sagebind/isahc/milestone/13. There is no due date for version 2.0, it'll be ready when it is ready.

[lcmgh]

Any update on this?

[sagebind]

@lcmgh Nope, sorry. I am currently taking a break from open-source work while I deal with some time-consuming projects in my personal life. It may be autumn this year before I can resume working on this. But thanks for your interest! I still plan on pushing this to the finish line, despite delays.