rust: default to rustls TLS backend, add native-tls opt-in#1806
Open
colbylwilliams wants to merge 1 commit into
Open
rust: default to rustls TLS backend, add native-tls opt-in#1806colbylwilliams wants to merge 1 commit into
colbylwilliams wants to merge 1 commit into
Conversation
The Rust crate hard-coded the OpenSSL-backed native-tls stack for its request-handler HTTP (reqwest `default-tls`) and WebSocket (tokio-tungstenite `native-tls`) clients, pulling in `openssl-sys`. That breaks `*-unknown-linux-musl` / fully-static builds (no OpenSSL sysroot) and adds a dynamic `libssl` runtime dependency on glibc. Make TLS feature-gated and default to rustls: - `rustls-tls` (default): reqwest `rustls-tls-native-roots` + tokio-tungstenite `rustls-tls-native-roots`, using rustls with the `ring` provider and the OS trust store. OpenSSL-free, so musl/static targets cross-compile with no system OpenSSL. - `native-tls` (opt-in): keeps the platform-native stack for consumers who want it. The transport code is TLS-backend-agnostic (`reqwest::Client::builder()` + `connect_async`), so no source changes were needed. For `wss://`, tokio-tungstenite resolves the rustls crypto provider via feature unification on the shared `rustls` crate (reqwest pins `ring`). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Rust SDK crate’s dependency feature wiring so the request-handler transport (reqwest + tokio-tungstenite) defaults to a rustls-based TLS stack (to avoid OpenSSL on Linux/musl/static builds) while still providing an opt-in native-tls feature for consumers who want the platform TLS backend.
Changes:
- Make
rustls-tlsa new default crate feature and add an opt-innative-tlsfeature to select the TLS backend. - Remove hard-coded TLS feature selection from the base
reqwestandtokio-tungstenitedependency declarations. - Document the new feature behavior and
default-features = falseimplications in the Rust README.
Show a summary per file
| File | Description |
|---|---|
| rust/README.md | Documents new rustls-tls (default) and native-tls (opt-in) features and shows updated dependency examples. |
| rust/Cargo.toml | Adds TLS-selection crate features and removes hard-coded TLS features from transport dependencies. |
| rust/Cargo.lock | Lockfile updates reflecting the new (feature-gated) dependency graph. |
Review details
- Files reviewed: 2/3 changed files
- Comments generated: 1
- Review effort level: Low
Comment on lines
+34
to
+38
| # TLS backend for the request-handler HTTP/WebSocket transport. Exactly one | ||
| # should be enabled; `rustls-tls` is the default. `rustls-tls` uses rustls with | ||
| # the `ring` provider and the OS trust store, keeping the SDK OpenSSL-free so | ||
| # musl/static targets build without an OpenSSL sysroot. `native-tls` links the | ||
| # platform stack (OpenSSL on Linux, Secure Transport on macOS, SChannel on |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #1805.
The Rust crate hard-coded the OpenSSL-backed
native-tlsstack for its request-handler HTTP and WebSocket clients, with no way to opt into rustls:default-tls(reqwest) andnative-tls(tokio-tungstenite) both pull inopenssl-sys, which links the system OpenSSL on Linux. This breaks*-unknown-linux-musl/ fully-static builds (no OpenSSL sysroot) and adds a dynamiclibssl.so.3runtime dependency on glibc.Change
This implements both shapes the issue proposed: default to rustls and expose a
native-tlscargo feature so consumers keep the choice.rustls-tls(new, default): reqwestrustls-tls-native-roots+ tokio-tungsteniterustls-tls-native-roots— rustls with theringprovider and the OS trust store. OpenSSL-free, so musl/static targets cross-compile without a system OpenSSL sysroot.native-tls(new, opt-in): keeps the platform-native stack (OpenSSL on Linux, Secure Transport on macOS, SChannel on Windows) for consumers who want it.reqwest/tokio-tungstenitedeps drop their hard-coded TLS features; TLS is now selected via the cargo features above.The transport code (
copilot_request_handler.rs) is TLS-backend-agnostic (reqwest::Client::builder()+connect_async), so no source changes were required. Forwss://, tokio-tungstenite resolves the rustls crypto provider via Cargo feature unification on the sharedrustlscrate (reqwest pinsring).Validation
cargo build(default) is OpenSSL-free:openssl-sysno longer appears in the normal dependency graph;ringis the sole rustls crypto provider.cargo check --no-default-features --features rustls-tlsand--features native-tlsboth compile.wss://path resolves theringcrypto provider (reaches the TLS handshake instead of panicking with "no process-level CryptoProvider available").cargo +nightly fmt --check,cargo clippy --all-features --all-targets -- -D warnings: clean.cargo test --all-features: green (177 lib + 365 e2e + integration + 23 doctests).--features test-support).Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com