Skip to content

Commit 43569d1

Browse files
upgrade tokio-rustls (#659)
Summary: Pull Request resolved: #659 this diff updates hyperactor to tokio-rustls v0.26.2 (rustls v0.23.27) Reviewed By: moonli Differential Revision: D79045323 fbshipit-source-id: ddde91a099561b2d26b6c791ad6c69b6a2fc7d69
1 parent 2ebb7bc commit 43569d1

File tree

2 files changed

+34
-33
lines changed

2 files changed

+34
-33
lines changed

hyperactor/Cargo.toml

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -43,9 +43,7 @@ opentelemetry = "0.29"
4343
paste = "1.0.14"
4444
rand = { version = "0.8", features = ["small_rng"] }
4545
regex = "1.11.1"
46-
rustls = "0.21.6"
4746
rustls-pemfile = "1.0.0"
48-
rustls-webpki = { version = "0.101.4", features = ["alloc", "std"], default-features = false }
4947
serde = { version = "1.0.185", features = ["derive", "rc"] }
5048
serde_bytes = "0.11"
5149
serde_json = { version = "1.0.140", features = ["alloc", "float_roundtrip", "unbounded_depth"] }
@@ -54,7 +52,7 @@ serde_yaml = "0.9.25"
5452
signal-hook-tokio = { version = "0.3", features = ["futures-v0_3"] }
5553
thiserror = "2.0.12"
5654
tokio = { version = "1.46.1", features = ["full", "test-util", "tracing"] }
57-
tokio-rustls = { git = "https://github.com/shayne-fletcher/tokio-rustls", rev = "62b6a48e4c14a05c193508b9d98a0be6b0cb4baa", features = ["dangerous_configuration"] }
55+
tokio-rustls = "0.26.2"
5856
tokio-stream = { version = "0.1.17", features = ["fs", "io-util", "net", "signal", "sync", "time"] }
5957
tokio-util = { version = "0.7.15", features = ["full"] }
6058
tracing = { version = "0.1.41", features = ["attributes", "valuable"] }

hyperactor/src/channel/net.rs

Lines changed: 33 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -1630,14 +1630,15 @@ pub(crate) mod meta {
16301630

16311631
use anyhow::Context;
16321632
use anyhow::Result;
1633-
use rustls::RootCertStore;
16341633
use tokio::net::TcpListener;
16351634
use tokio::net::TcpStream;
16361635
use tokio_rustls::TlsAcceptor;
16371636
use tokio_rustls::TlsConnector;
16381637
use tokio_rustls::client::TlsStream;
1639-
use tokio_rustls::rustls::Certificate;
1640-
use tokio_rustls::rustls::PrivateKey;
1638+
use tokio_rustls::rustls::RootCertStore;
1639+
use tokio_rustls::rustls::pki_types::CertificateDer;
1640+
use tokio_rustls::rustls::pki_types::PrivateKeyDer;
1641+
use tokio_rustls::rustls::pki_types::ServerName;
16411642

16421643
use super::*;
16431644
use crate::RemoteMessage;
@@ -1665,24 +1666,17 @@ pub(crate) mod meta {
16651666

16661667
/// Returns the root cert store
16671668
fn root_cert_store() -> Result<RootCertStore> {
1668-
let mut root_cert_store = rustls::RootCertStore::empty();
1669+
let mut root_cert_store = tokio_rustls::rustls::RootCertStore::empty();
16691670
let ca_cert_path =
16701671
std::env::var_os(THRIFT_TLS_SRV_CA_PATH_ENV).unwrap_or(DEFAULT_SRV_CA_PATH.into());
16711672
let ca_certs = rustls_pemfile::certs(&mut BufReader::new(
16721673
File::open(ca_cert_path).context("Failed to open {ca_cert_path:?}")?,
16731674
))?;
1674-
let trust_anchors = ca_certs.iter().filter_map(|cert| {
1675-
webpki::TrustAnchor::try_from_cert_der(&cert[..])
1676-
.map(|ta| {
1677-
rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
1678-
ta.subject,
1679-
ta.spki,
1680-
ta.name_constraints,
1681-
)
1682-
})
1683-
.ok()
1684-
});
1685-
root_cert_store.add_trust_anchors(trust_anchors);
1675+
for cert in ca_certs {
1676+
root_cert_store
1677+
.add(cert.into())
1678+
.context("Failed to add certificate to root store")?;
1679+
}
16861680
Ok(root_cert_store)
16871681
}
16881682

@@ -1693,7 +1687,7 @@ pub(crate) mod meta {
16931687
File::open(server_cert_path).context("failed to open {server_cert_path}")?,
16941688
))?
16951689
.into_iter()
1696-
.map(Certificate)
1690+
.map(CertificateDer::from)
16971691
.collect();
16981692
// certs are good here
16991693
let server_key_path = DEFAULT_SERVER_PEM_PATH;
@@ -1712,22 +1706,28 @@ pub(crate) mod meta {
17121706
};
17131707
};
17141708

1715-
let config = rustls::ServerConfig::builder().with_safe_defaults();
1709+
let config = tokio_rustls::rustls::ServerConfig::builder();
17161710

17171711
let config = if enforce_client_tls {
1718-
let client_cert_verifier = Arc::new(rustls::server::AllowAnyAuthenticatedClient::new(
1719-
root_cert_store()?,
1720-
));
1712+
let client_cert_verifier = tokio_rustls::rustls::server::WebPkiClientVerifier::builder(
1713+
Arc::new(root_cert_store()?),
1714+
)
1715+
.build()
1716+
.map_err(|e| anyhow::anyhow!("Failed to build client verifier: {}", e))?;
17211717
config.with_client_cert_verifier(client_cert_verifier)
17221718
} else {
17231719
config.with_no_client_auth()
17241720
}
1725-
.with_single_cert(certs, PrivateKey(key))?;
1721+
.with_single_cert(
1722+
certs,
1723+
PrivateKeyDer::try_from(key)
1724+
.map_err(|_| anyhow::anyhow!("Invalid private key format"))?,
1725+
)?;
17261726

17271727
Ok(TlsAcceptor::from(Arc::new(config)))
17281728
}
17291729

1730-
fn load_client_pem() -> Result<Option<(Vec<rustls::Certificate>, rustls::PrivateKey)>> {
1730+
fn load_client_pem() -> Result<Option<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)>> {
17311731
let Some(cert_path) = std::env::var_os(THRIFT_TLS_CL_CERT_PATH_ENV) else {
17321732
return Ok(None);
17331733
};
@@ -1738,7 +1738,7 @@ pub(crate) mod meta {
17381738
File::open(cert_path).context("failed to open {cert_path}")?,
17391739
))?
17401740
.into_iter()
1741-
.map(rustls::Certificate)
1741+
.map(CertificateDer::from)
17421742
.collect();
17431743
let mut key_reader =
17441744
BufReader::new(File::open(key_path).context("failed to open {key_path}")?);
@@ -1752,15 +1752,18 @@ pub(crate) mod meta {
17521752
};
17531753
};
17541754
// Certs are verified to be good here.
1755-
Ok(Some((certs, rustls::PrivateKey(key))))
1755+
Ok(Some((
1756+
certs,
1757+
PrivateKeyDer::try_from(key)
1758+
.map_err(|_| anyhow::anyhow!("Invalid private key format"))?,
1759+
)))
17561760
}
17571761

17581762
/// Creates a TLS connector by looking for necessary certs and keys in a Meta server environment.
17591763
fn tls_connector() -> Result<TlsConnector> {
17601764
// TODO (T208180540): try to simplify the logic here.
1761-
let config = rustls::ClientConfig::builder()
1762-
.with_safe_defaults()
1763-
.with_root_certificates(root_cert_store()?);
1765+
let config = tokio_rustls::rustls::ClientConfig::builder()
1766+
.with_root_certificates(Arc::new(root_cert_store()?));
17641767
let result = load_client_pem()?;
17651768
let config = if let Some((certs, key)) = result {
17661769
config
@@ -1772,9 +1775,9 @@ pub(crate) mod meta {
17721775
Ok(TlsConnector::from(Arc::new(config)))
17731776
}
17741777

1775-
fn tls_connector_config(peer_host_name: &str) -> Result<(TlsConnector, rustls::ServerName)> {
1778+
fn tls_connector_config(peer_host_name: &str) -> Result<(TlsConnector, ServerName<'static>)> {
17761779
let connector = tls_connector()?;
1777-
let server_name = rustls::ServerName::try_from(peer_host_name)?;
1780+
let server_name = ServerName::try_from(peer_host_name.to_string())?;
17781781
Ok((connector, server_name))
17791782
}
17801783

0 commit comments

Comments
 (0)