mirror of
				https://github.com/meilisearch/meilisearch.git
				synced 2025-10-25 21:16:28 +00:00 
			
		
		
		
	Merge #4806
4806: Update rustls as much as possible r=Kerollmops a=irevoire # Pull Request ## Related issue Part of https://github.com/meilisearch/meilisearch/issues/4753 ## What does this PR do? - Update rustls as much as possible ## What is missing In rustls-0.22.0 two structures we were using have been removed with no explanation or workaround <img width="518" alt="image" src="https://github.com/user-attachments/assets/fa112db1-3400-4163-8819-7913f22d6b87"> Co-authored-by: Tamo <tamo@meilisearch.com>
This commit is contained in:
		
							
								
								
									
										92
									
								
								Cargo.lock
									
									
									
										generated
									
									
									
								
							
							
						
						
									
										92
									
								
								Cargo.lock
									
									
									
										generated
									
									
									
								
							| @@ -149,11 +149,11 @@ dependencies = [ | ||||
|  "futures-core", | ||||
|  "impl-more", | ||||
|  "pin-project-lite", | ||||
|  "rustls-pki-types", | ||||
|  "tokio", | ||||
|  "tokio-rustls 0.24.1", | ||||
|  "tokio-rustls", | ||||
|  "tokio-util", | ||||
|  "tracing", | ||||
|  "webpki-roots 0.25.3", | ||||
| ] | ||||
|  | ||||
| [[package]] | ||||
| @@ -2461,12 +2461,12 @@ dependencies = [ | ||||
|  "http 1.1.0", | ||||
|  "hyper", | ||||
|  "hyper-util", | ||||
|  "rustls 0.23.11", | ||||
|  "rustls", | ||||
|  "rustls-pki-types", | ||||
|  "tokio", | ||||
|  "tokio-rustls 0.26.0", | ||||
|  "tokio-rustls", | ||||
|  "tower-service", | ||||
|  "webpki-roots 0.26.1", | ||||
|  "webpki-roots", | ||||
| ] | ||||
|  | ||||
| [[package]] | ||||
| @@ -3395,8 +3395,9 @@ dependencies = [ | ||||
|  "regex", | ||||
|  "reqwest", | ||||
|  "roaring", | ||||
|  "rustls 0.21.12", | ||||
|  "rustls-pemfile 1.0.4", | ||||
|  "rustls", | ||||
|  "rustls-pemfile", | ||||
|  "rustls-pki-types", | ||||
|  "segment", | ||||
|  "serde", | ||||
|  "serde_json", | ||||
| @@ -4273,7 +4274,7 @@ dependencies = [ | ||||
|  "quinn-proto", | ||||
|  "quinn-udp", | ||||
|  "rustc-hash", | ||||
|  "rustls 0.23.11", | ||||
|  "rustls", | ||||
|  "thiserror", | ||||
|  "tokio", | ||||
|  "tracing", | ||||
| @@ -4289,7 +4290,7 @@ dependencies = [ | ||||
|  "rand", | ||||
|  "ring", | ||||
|  "rustc-hash", | ||||
|  "rustls 0.23.11", | ||||
|  "rustls", | ||||
|  "slab", | ||||
|  "thiserror", | ||||
|  "tinyvec", | ||||
| @@ -4517,15 +4518,15 @@ dependencies = [ | ||||
|  "percent-encoding", | ||||
|  "pin-project-lite", | ||||
|  "quinn", | ||||
|  "rustls 0.23.11", | ||||
|  "rustls-pemfile 2.1.2", | ||||
|  "rustls", | ||||
|  "rustls-pemfile", | ||||
|  "rustls-pki-types", | ||||
|  "serde", | ||||
|  "serde_json", | ||||
|  "serde_urlencoded", | ||||
|  "sync_wrapper", | ||||
|  "tokio", | ||||
|  "tokio-rustls 0.26.0", | ||||
|  "tokio-rustls", | ||||
|  "tokio-util", | ||||
|  "tower-service", | ||||
|  "url", | ||||
| @@ -4533,7 +4534,7 @@ dependencies = [ | ||||
|  "wasm-bindgen-futures", | ||||
|  "wasm-streams", | ||||
|  "web-sys", | ||||
|  "webpki-roots 0.26.1", | ||||
|  "webpki-roots", | ||||
|  "winreg", | ||||
| ] | ||||
|  | ||||
| @@ -4683,18 +4684,6 @@ dependencies = [ | ||||
|  "windows-sys 0.52.0", | ||||
| ] | ||||
|  | ||||
| [[package]] | ||||
| name = "rustls" | ||||
| version = "0.21.12" | ||||
| source = "registry+https://github.com/rust-lang/crates.io-index" | ||||
| checksum = "3f56a14d1f48b391359b22f731fd4bd7e43c97f3c50eee276f3aa09c94784d3e" | ||||
| dependencies = [ | ||||
|  "log", | ||||
|  "ring", | ||||
|  "rustls-webpki 0.101.7", | ||||
|  "sct", | ||||
| ] | ||||
|  | ||||
| [[package]] | ||||
| name = "rustls" | ||||
| version = "0.23.11" | ||||
| @@ -4705,20 +4694,11 @@ dependencies = [ | ||||
|  "once_cell", | ||||
|  "ring", | ||||
|  "rustls-pki-types", | ||||
|  "rustls-webpki 0.102.5", | ||||
|  "rustls-webpki", | ||||
|  "subtle", | ||||
|  "zeroize", | ||||
| ] | ||||
|  | ||||
| [[package]] | ||||
| name = "rustls-pemfile" | ||||
| version = "1.0.4" | ||||
| source = "registry+https://github.com/rust-lang/crates.io-index" | ||||
| checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c" | ||||
| dependencies = [ | ||||
|  "base64 0.21.7", | ||||
| ] | ||||
|  | ||||
| [[package]] | ||||
| name = "rustls-pemfile" | ||||
| version = "2.1.2" | ||||
| @@ -4735,16 +4715,6 @@ version = "1.7.0" | ||||
| source = "registry+https://github.com/rust-lang/crates.io-index" | ||||
| checksum = "976295e77ce332211c0d24d92c0e83e50f5c5f046d11082cea19f3df13a3562d" | ||||
|  | ||||
| [[package]] | ||||
| name = "rustls-webpki" | ||||
| version = "0.101.7" | ||||
| source = "registry+https://github.com/rust-lang/crates.io-index" | ||||
| checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" | ||||
| dependencies = [ | ||||
|  "ring", | ||||
|  "untrusted", | ||||
| ] | ||||
|  | ||||
| [[package]] | ||||
| name = "rustls-webpki" | ||||
| version = "0.102.5" | ||||
| @@ -4793,16 +4763,6 @@ version = "1.2.0" | ||||
| source = "registry+https://github.com/rust-lang/crates.io-index" | ||||
| checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" | ||||
|  | ||||
| [[package]] | ||||
| name = "sct" | ||||
| version = "0.7.1" | ||||
| source = "registry+https://github.com/rust-lang/crates.io-index" | ||||
| checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" | ||||
| dependencies = [ | ||||
|  "ring", | ||||
|  "untrusted", | ||||
| ] | ||||
|  | ||||
| [[package]] | ||||
| name = "seahash" | ||||
| version = "4.1.0" | ||||
| @@ -5483,23 +5443,13 @@ dependencies = [ | ||||
|  "syn 2.0.60", | ||||
| ] | ||||
|  | ||||
| [[package]] | ||||
| name = "tokio-rustls" | ||||
| version = "0.24.1" | ||||
| source = "registry+https://github.com/rust-lang/crates.io-index" | ||||
| checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" | ||||
| dependencies = [ | ||||
|  "rustls 0.21.12", | ||||
|  "tokio", | ||||
| ] | ||||
|  | ||||
| [[package]] | ||||
| name = "tokio-rustls" | ||||
| version = "0.26.0" | ||||
| source = "registry+https://github.com/rust-lang/crates.io-index" | ||||
| checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4" | ||||
| dependencies = [ | ||||
|  "rustls 0.23.11", | ||||
|  "rustls", | ||||
|  "rustls-pki-types", | ||||
|  "tokio", | ||||
| ] | ||||
| @@ -5805,13 +5755,13 @@ dependencies = [ | ||||
|  "flate2", | ||||
|  "log", | ||||
|  "once_cell", | ||||
|  "rustls 0.23.11", | ||||
|  "rustls", | ||||
|  "rustls-pki-types", | ||||
|  "serde", | ||||
|  "serde_json", | ||||
|  "socks", | ||||
|  "url", | ||||
|  "webpki-roots 0.26.1", | ||||
|  "webpki-roots", | ||||
| ] | ||||
|  | ||||
| [[package]] | ||||
| @@ -6036,12 +5986,6 @@ dependencies = [ | ||||
|  "wasm-bindgen", | ||||
| ] | ||||
|  | ||||
| [[package]] | ||||
| name = "webpki-roots" | ||||
| version = "0.25.3" | ||||
| source = "registry+https://github.com/rust-lang/crates.io-index" | ||||
| checksum = "1778a42e8b3b90bff8d0f5032bf22250792889a5cdc752aa0020c84abe3aaf10" | ||||
|  | ||||
| [[package]] | ||||
| name = "webpki-roots" | ||||
| version = "0.26.1" | ||||
|   | ||||
| @@ -17,7 +17,7 @@ actix-cors = "0.7.0" | ||||
| actix-http = { version = "3.8.0", default-features = false, features = [ | ||||
|     "compress-brotli", | ||||
|     "compress-gzip", | ||||
|     "rustls-0_21", | ||||
|     "rustls-0_23", | ||||
| ] } | ||||
| actix-utils = "3.0.1" | ||||
| actix-web = { version = "4.8.0", default-features = false, features = [ | ||||
| @@ -25,7 +25,7 @@ actix-web = { version = "4.8.0", default-features = false, features = [ | ||||
|     "compress-brotli", | ||||
|     "compress-gzip", | ||||
|     "cookies", | ||||
|     "rustls-0_21", | ||||
|     "rustls-0_23", | ||||
| ] } | ||||
| anyhow = { version = "1.0.86", features = ["backtrace"] } | ||||
| async-trait = "0.1.81" | ||||
| @@ -72,8 +72,9 @@ reqwest = { version = "0.12.5", features = [ | ||||
|     "rustls-tls", | ||||
|     "json", | ||||
| ], default-features = false } | ||||
| rustls = "0.21.12" | ||||
| rustls-pemfile = "1.0.4" | ||||
| rustls = { version = "0.23.11", features = ["ring"], default-features = false } | ||||
| rustls-pki-types = { version = "1.7.0", features = ["alloc"] } | ||||
| rustls-pemfile = "2.1.2" | ||||
| segment = { version = "0.2.4", optional = true } | ||||
| serde = { version = "1.0.204", features = ["derive"] } | ||||
| serde_json = { version = "1.0.120", features = ["preserve_order"] } | ||||
|   | ||||
| @@ -151,7 +151,7 @@ async fn run_http( | ||||
|     .keep_alive(KeepAlive::Os); | ||||
|  | ||||
|     if let Some(config) = opt_clone.get_ssl_config()? { | ||||
|         http_server.bind_rustls_021(opt_clone.http_addr, config)?.run().await?; | ||||
|         http_server.bind_rustls_0_23(opt_clone.http_addr, config)?.run().await?; | ||||
|     } else { | ||||
|         http_server.bind(&opt_clone.http_addr)?.run().await?; | ||||
|     } | ||||
|   | ||||
| @@ -14,11 +14,9 @@ use clap::Parser; | ||||
| use meilisearch_types::features::InstanceTogglableFeatures; | ||||
| use meilisearch_types::milli::update::IndexerConfig; | ||||
| use meilisearch_types::milli::ThreadPoolNoAbortBuilder; | ||||
| use rustls::server::{ | ||||
|     AllowAnyAnonymousOrAuthenticatedClient, AllowAnyAuthenticatedClient, ServerSessionMemoryCache, | ||||
| }; | ||||
| use rustls::server::{ServerSessionMemoryCache, WebPkiClientVerifier}; | ||||
| use rustls::RootCertStore; | ||||
| use rustls_pemfile::{certs, pkcs8_private_keys, rsa_private_keys}; | ||||
| use rustls_pemfile::{certs, rsa_private_keys}; | ||||
| use serde::{Deserialize, Serialize}; | ||||
| use sysinfo::{MemoryRefreshKind, RefreshKind, System}; | ||||
| use url::Url; | ||||
| @@ -582,23 +580,21 @@ impl Opt { | ||||
|  | ||||
|     pub fn get_ssl_config(&self) -> anyhow::Result<Option<rustls::ServerConfig>> { | ||||
|         if let (Some(cert_path), Some(key_path)) = (&self.ssl_cert_path, &self.ssl_key_path) { | ||||
|             let config = rustls::ServerConfig::builder().with_safe_defaults(); | ||||
|             let config = rustls::ServerConfig::builder(); | ||||
|  | ||||
|             let config = match &self.ssl_auth_path { | ||||
|                 Some(auth_path) => { | ||||
|                     let roots = load_certs(auth_path.to_path_buf())?; | ||||
|                     let mut client_auth_roots = RootCertStore::empty(); | ||||
|                     for root in roots { | ||||
|                         client_auth_roots.add(&root).unwrap(); | ||||
|                         client_auth_roots.add(root).unwrap(); | ||||
|                     } | ||||
|                     if self.ssl_require_auth { | ||||
|                         let verifier = AllowAnyAuthenticatedClient::new(client_auth_roots); | ||||
|                         config.with_client_cert_verifier(Arc::from(verifier)) | ||||
|                     } else { | ||||
|                         let verifier = | ||||
|                             AllowAnyAnonymousOrAuthenticatedClient::new(client_auth_roots); | ||||
|                         config.with_client_cert_verifier(Arc::from(verifier)) | ||||
|                     let mut client_verifier = | ||||
|                         WebPkiClientVerifier::builder(client_auth_roots.into()); | ||||
|                     if !self.ssl_require_auth { | ||||
|                         client_verifier = client_verifier.allow_unauthenticated(); | ||||
|                     } | ||||
|                     config.with_client_cert_verifier(client_verifier.build()?) | ||||
|                 } | ||||
|                 None => config.with_no_client_auth(), | ||||
|             }; | ||||
| @@ -607,7 +603,7 @@ impl Opt { | ||||
|             let privkey = load_private_key(key_path.to_path_buf())?; | ||||
|             let ocsp = load_ocsp(&self.ssl_ocsp_path)?; | ||||
|             let mut config = config | ||||
|                 .with_single_cert_with_ocsp_and_sct(certs, privkey, ocsp, vec![]) | ||||
|                 .with_single_cert_with_ocsp(certs, privkey, ocsp) | ||||
|                 .map_err(|_| anyhow::anyhow!("bad certificates/private key"))?; | ||||
|  | ||||
|             config.key_log = Arc::new(rustls::KeyLogFile::new()); | ||||
| @@ -617,7 +613,7 @@ impl Opt { | ||||
|             } | ||||
|  | ||||
|             if self.ssl_tickets { | ||||
|                 config.ticketer = rustls::Ticketer::new().unwrap(); | ||||
|                 config.ticketer = rustls::crypto::ring::Ticketer::new().unwrap(); | ||||
|             } | ||||
|  | ||||
|             Ok(Some(config)) | ||||
| @@ -783,21 +779,26 @@ impl Deref for MaxThreads { | ||||
|     } | ||||
| } | ||||
|  | ||||
| fn load_certs(filename: PathBuf) -> anyhow::Result<Vec<rustls::Certificate>> { | ||||
| fn load_certs( | ||||
|     filename: PathBuf, | ||||
| ) -> anyhow::Result<Vec<rustls::pki_types::CertificateDer<'static>>> { | ||||
|     let certfile = | ||||
|         fs::File::open(filename).map_err(|_| anyhow::anyhow!("cannot open certificate file"))?; | ||||
|     let mut reader = BufReader::new(certfile); | ||||
|     certs(&mut reader) | ||||
|         .map(|certs| certs.into_iter().map(rustls::Certificate).collect()) | ||||
|         .collect::<Result<Vec<_>, _>>() | ||||
|         .map_err(|_| anyhow::anyhow!("cannot read certificate file")) | ||||
| } | ||||
|  | ||||
| fn load_private_key(filename: PathBuf) -> anyhow::Result<rustls::PrivateKey> { | ||||
| fn load_private_key( | ||||
|     filename: PathBuf, | ||||
| ) -> anyhow::Result<rustls::pki_types::PrivateKeyDer<'static>> { | ||||
|     let rsa_keys = { | ||||
|         let keyfile = fs::File::open(filename.clone()) | ||||
|             .map_err(|_| anyhow::anyhow!("cannot open private key file"))?; | ||||
|         let mut reader = BufReader::new(keyfile); | ||||
|         rsa_private_keys(&mut reader) | ||||
|             .collect::<Result<Vec<_>, _>>() | ||||
|             .map_err(|_| anyhow::anyhow!("file contains invalid rsa private key"))? | ||||
|     }; | ||||
|  | ||||
| @@ -805,19 +806,21 @@ fn load_private_key(filename: PathBuf) -> anyhow::Result<rustls::PrivateKey> { | ||||
|         let keyfile = fs::File::open(filename) | ||||
|             .map_err(|_| anyhow::anyhow!("cannot open private key file"))?; | ||||
|         let mut reader = BufReader::new(keyfile); | ||||
|         pkcs8_private_keys(&mut reader).map_err(|_| { | ||||
|         rustls_pemfile::pkcs8_private_keys(&mut reader).collect::<Result<Vec<_>, _>>().map_err( | ||||
|             |_| { | ||||
|                 anyhow::anyhow!( | ||||
|                     "file contains invalid pkcs8 private key (encrypted keys not supported)" | ||||
|                 ) | ||||
|         })? | ||||
|             }, | ||||
|         )? | ||||
|     }; | ||||
|  | ||||
|     // prefer to load pkcs8 keys | ||||
|     if !pkcs8_keys.is_empty() { | ||||
|         Ok(rustls::PrivateKey(pkcs8_keys[0].clone())) | ||||
|         Ok(rustls::pki_types::PrivateKeyDer::Pkcs8(pkcs8_keys[0].clone_key())) | ||||
|     } else { | ||||
|         assert!(!rsa_keys.is_empty()); | ||||
|         Ok(rustls::PrivateKey(rsa_keys[0].clone())) | ||||
|         Ok(rustls::pki_types::PrivateKeyDer::Pkcs1(rsa_keys[0].clone_key())) | ||||
|     } | ||||
| } | ||||
|  | ||||
|   | ||||
		Reference in New Issue
	
	Block a user