Cargo: update Rustls & associated crates to 0.23

* updates rustls 0.22 to 0.23
* updates tokio-rustls 0.25 to 0.26
* updates rustls-platform-verifier 0.2 to 0.3
* addresses default crypto provider requirements for tests, examples
* makes aws-lc-rs the default crypto provider, matching upstream. Ring
  remains available opt-in with the `ring` feature.

Author: cpu

Cargo.toml

@@ -17,23 +17,23 @@ hyper-util = { version = "0.1", default-features = false, features = ["client-le
 log = { version = "0.4.4", optional = true }
 pki-types = { package = "rustls-pki-types", version = "1" }
 rustls-native-certs = { version = "0.7", optional = true }
-rustls-platform-verifier = { version = "0.2", optional = true }
-rustls = { version = "0.22", default-features = false }
+rustls-platform-verifier = { version = "0.3", optional = true }
+rustls = { version = "0.23", default-features = false }
 tokio = "1.0"
-tokio-rustls = { version = "0.25", default-features = false }
+tokio-rustls = { version = "0.26", default-features = false }
 tower-service = "0.3"
 webpki-roots = { version = "0.26", optional = true }
 futures-util = { version = "0.3", default-features = false }
 
 [dev-dependencies]
 http-body-util = "0.1"
 hyper-util = { version = "0.1", default-features = false, features = ["server-auto"] }
-rustls = { version = "0.22", default-features = false, features = ["tls12"] }
+rustls = { version = "0.23", default-features = false, features = ["tls12"] }
 rustls-pemfile = "2"
 tokio = { version = "1.0", features = ["io-std", "macros", "net", "rt-multi-thread"] }
 
 [features]
-default = ["native-tokio", "http1", "tls12", "logging", "ring"]
+default = ["native-tokio", "http1", "tls12", "logging", "aws-lc-rs"]
 aws-lc-rs = ["rustls/aws_lc_rs"]
 http1 = ["hyper-util/http1"]
 http2 = ["hyper-util/http2"]
@@ -51,7 +51,7 @@ required-features = ["native-tokio", "http1"]
 [[example]]
 name = "server"
 path = "examples/server.rs"
-required-features = ["ring"]
+required-features = ["aws-lc-rs"]
 
 [package.metadata.docs.rs]
 all-features = true

examples/client.rs

@@ -26,6 +26,12 @@ fn error(err: String) -> io::Error {
 
 #[tokio::main]
 async fn run_client() -> io::Result<()> {
+    // Set a process wide default crypto provider.
+    #[cfg(feature = "ring")]
+    let _ = rustls::crypto::ring::default_provider().install_default();
+    #[cfg(feature = "aws-lc-rs")]
+    let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+
     // First parameter is target URL (mandatory).
     let url = match env::args().nth(1) {
         Some(ref url) => Uri::from_str(url).map_err(|e| error(format!("{}", e)))?,

examples/server.rs

@@ -34,6 +34,12 @@ fn error(err: String) -> io::Error {
 
 #[tokio::main]
 async fn run_server() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    // Set a process wide default crypto provider.
+    #[cfg(feature = "ring")]
+    let _ = rustls::crypto::ring::default_provider().install_default();
+    #[cfg(feature = "aws-lc-rs")]
+    let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+
     // First parameter is port number (optional, defaults to 1337)
     let port = match env::args().nth(1) {
         Some(ref p) => p.parse()?,

src/connector/builder.rs

@@ -17,12 +17,15 @@ use crate::config::ConfigBuilderExt;
 /// ```
 /// use hyper_rustls::HttpsConnectorBuilder;
 ///
-/// # #[cfg(all(feature = "webpki-roots", feature = "http1"))]
-/// let https = HttpsConnectorBuilder::new()
+/// # #[cfg(all(feature = "webpki-roots", feature = "http1", feature="aws-lc-rs"))]
+/// # {
+/// # let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+///     let https = HttpsConnectorBuilder::new()
 ///     .with_webpki_roots()
 ///     .https_only()
 ///     .enable_http1()
 ///     .build();
+/// # }
 /// ```
 pub struct ConnectorBuilder<State>(State);
 
@@ -54,7 +57,10 @@ impl ConnectorBuilder<WantsTlsConfig> {
     /// Use rustls' default crypto provider and other defaults, and the platform verifier
     ///
     /// See [`ConfigBuilderExt::with_platform_verifier()`].
-    #[cfg(all(feature = "ring", feature = "rustls-platform-verifier"))]
+    #[cfg(all(
+        any(feature = "ring", feature = "aws-lc-rs"),
+        feature = "rustls-platform-verifier"
+    ))]
     pub fn with_platform_verifier(self) -> ConnectorBuilder<WantsSchemes> {
         self.with_tls_config(
             ClientConfig::builder()
@@ -67,7 +73,10 @@ impl ConnectorBuilder<WantsTlsConfig> {
     /// native roots.
     ///
     /// See [`ConfigBuilderExt::with_native_roots`]
-    #[cfg(all(feature = "ring", feature = "rustls-native-certs"))]
+    #[cfg(all(
+        any(feature = "ring", feature = "aws-lc-rs"),
+        feature = "rustls-native-certs"
+    ))]
     pub fn with_native_roots(self) -> std::io::Result<ConnectorBuilder<WantsSchemes>> {
         Ok(self.with_tls_config(
             ClientConfig::builder()
@@ -97,7 +106,7 @@ impl ConnectorBuilder<WantsTlsConfig> {
     /// safe defaults.
     ///
     /// See [`ConfigBuilderExt::with_webpki_roots`]
-    #[cfg(all(feature = "ring", feature = "webpki-roots"))]
+    #[cfg(all(any(feature = "ring", feature = "aws-lc-rs"), feature = "webpki-roots"))]
     pub fn with_webpki_roots(self) -> ConnectorBuilder<WantsSchemes> {
         self.with_tls_config(
             ClientConfig::builder()
@@ -316,6 +325,7 @@ mod tests {
     #[test]
     #[cfg(all(feature = "webpki-roots", feature = "http1"))]
     fn test_builder() {
+        ensure_global_state();
         let _connector = super::ConnectorBuilder::new()
             .with_webpki_roots()
             .https_only()
@@ -327,6 +337,7 @@ mod tests {
     #[cfg(feature = "http1")]
     #[should_panic(expected = "ALPN protocols should not be pre-defined")]
     fn test_reject_predefined_alpn() {
+        ensure_global_state();
         let roots = rustls::RootCertStore::empty();
         let mut config_with_alpn = rustls::ClientConfig::builder()
             .with_root_certificates(roots)
@@ -342,6 +353,7 @@ mod tests {
     #[test]
     #[cfg(all(feature = "http1", feature = "http2"))]
     fn test_alpn() {
+        ensure_global_state();
         let roots = rustls::RootCertStore::empty();
         let tls_config = rustls::ClientConfig::builder()
             .with_root_certificates(roots)
@@ -403,4 +415,11 @@ mod tests {
             .build();
         assert_eq!(&connector.tls_config.alpn_protocols, &[b"h2".to_vec()]);
     }
+
+    fn ensure_global_state() {
+        #[cfg(feature = "ring")]
+        let _ = rustls::crypto::ring::default_provider().install_default();
+        #[cfg(feature = "aws-lc-rs")]
+        let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+    }
 }