Rustls support with dynamic choice of TLS provider for cloud #1254
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
semver-checks-breaking
|
See the following report for details: cargo semver-checks output |
muzarski
force-pushed
the
rustls-support-muzarski
branch
7 times, most recently
from
e17e4e7 to
666879a
Compare
muzarski
force-pushed
the
rustls-support-muzarski
branch
5 times, most recently
from
0997b6f to
56469a4
Compare
Lorak-mmk
requested changes
Feb 21, 2025
scylla/src/cloud/config.rs
Outdated
Comment on lines
121
to
135
| let supported = builder.crypto_provider().signature_verification_algorithms; | ||
| builder | ||
| .dangerous() | ||
| .with_custom_certificate_verifier(Arc::new(NoCertificateVerification { | ||
| supported, | ||
| })) |
There was a problem hiding this comment.
I assume that the NoCertificateVerification behaves the same as SslVerifyMode::NONE for openssl? It doesn't disable more verifications than openssl?
There was a problem hiding this comment.
I'd need to investigate to answer that. Maybe @wprzytula knows something about it.
There was a problem hiding this comment.
I know nothing more in this regard. This is work of @nrxus.
There was a problem hiding this comment.
This is not really important for now anyway, right? Its just cloud, which is behind an unstable feature.
We will need to verify that before releasing it officially though.
There was a problem hiding this comment.
the intention is certainly to be the same as SSlVerifyMode::NONE which as far as I know just disables all verification of the certificate provided by the server so I added a custom certificate verifier that always returns Ok. I think I based this off: rustls/rustls#578 (comment)
muzarski
force-pushed
the
rustls-support-muzarski
branch
from
56469a4 to
fa4c2c2
Compare
|
Rebased on main (clippy fixes) |
muzarski
force-pushed
the
rustls-support-muzarski
branch
from
fa4c2c2 to
00199db
Compare
|
v1.1: Addressed @Lorak-mmk comments:
|
Ehhh... Now when we enable |
|
Is adding |
Yes |
muzarski
force-pushed
the
rustls-support-muzarski
branch
from
00199db to
eff5e41
Compare
|
v1.2: Silenced |
It's no longer necessary, as CloudConfig is now passed inside TlsProvider.
If in the future we choose to store data differently in UntranslatedPeer, we will now have freedom to do so, only preserving the getters. Otherwise, we would have to retain legacy fields in such case.
As address translation should not need ownership of neither datacenter nor rack, let's not require cloning them.
`UntranslatedPeer` is only used for address translation purposes and is not part of cluster metadata tables, so it makes sense for it to reside alongside `AddressTranslator`.
muzarski
force-pushed
the
rustls-support-muzarski
branch
from
f8d49e5 to
22f8d77
Compare
Rustls is now supported as ordinary TLS provider, for far only for the non-cloud case. Co-authored-by: Wojciech Przytuła <[email protected]>
rustls is now supported in cloud, too. Currently, the choice between rustls and openssl is done based on enabled features: - if openssl-010 feature is enabled, openssl is used for cloud; - else if rustls-023 feature is enabled, rustls is used for cloud; - else compile error is raised. The next commit introduces the runtime choice for cloud TLS provider. Co-authored-by: Andres Medina <[email protected]>
New types: - public CloudTlsProvider - It's a simple enum that allows the users to choose the provider dynamically (not statically based on the enabled features). It's used in public API in `CloudSessionBuilder::new()` where its instance needs to be passed alongside path to the cloud configuration file. - private TlsCert - an enum that holds the certificate data parsed by corresponding tls provider library. It's currently used only in `Datacenter` struct. cloud unit tests: - I deduplicated common test logic, and introduced analogous tests for rustls. cloud integration tests: - After this commit, nothing changes in this matter. I decided to leave the tests using the openssl backend (see `create_new_session_builder` in test utils). In the future, we might introduce the tests for rustls as well. Docs: - I updated the connecting.md to reflect the changes in the public API.
Co-authored-by: Wojciech Przytuła <[email protected]>
Because soon we will also have a tls-rustls.rs example.
Co-authored-by: Wojciech Przytuła <[email protected]>
As address translation no longer needs owned Strings, it's enough to pass references to UntranslatedEndpoint to `open_connection` & friends. Note that, unfortunately, we can't fully elide the clone in `start_opening_connection()`, because the endpoint may be mutated (in the shard-aware case) for the purpose of opening a connection to the shard-aware port. Nonetheless, now the limitation that requires us to clone is in internal code, not in the user-facing API, which is better for us.
As the Serverless Cloud is a highly unstable feature, it must be marked as such in order not to break API after 1.0 in case we need to introduce breaking changes to the feature.
As the tls module got quite large, it makes sense to extract it to the network supermodule.
The number of feature checks keeps increasing, so we need to impose some order on them or else we will regret.
More cargo checks are added to the CI that try various combinations of TLS and cloud related features.
muzarski
force-pushed
the
rustls-support-muzarski
branch
from
22f8d77 to
bf62952
Compare
@Lorak-mmk resolved the conflicts. CI passed |
Lorak-mmk
approved these changes
Feb 25, 2025
|
Doesn't this PR also close #771 ? |
After reading the discussion from the issue, I believe that this PR closes it. |
|
Ok, please add it to the PR description so that it is closed when I merge this. |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bases on #1190
Closes: #1190
Fixes: #771
What changes compared to the base PR:
__tlsfeature is removedCloudSessionBuilder::new().cloud.rsexample tocloud-openssl.rs. Introduced analogouscloud-rustls.rsexample.Pre-review checklist
./docs/source/.Fixes:annotations to PR description.