Improve TLS support

Cargo.lock

@@ -164,17 +164,6 @@ dependencies = [
  "winapi",
 ]
 
-[[package]]
-name = "async-rustls"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c86f33abd5a4f3e2d6d9251a9e0c6a7e52eb1113caf893dae8429bf4a53f378"
-dependencies = [
- "futures-lite",
- "rustls",
- "webpki",
-]
-
 [[package]]
 name = "async-task"
 version = "4.1.0"
@@ -489,7 +478,6 @@ version = "0.3.2"
 dependencies = [
  "async-channel",
  "async-compat",
- "async-rustls",
  "async-trait",
  "bincode",
  "capnp",
@@ -500,6 +488,7 @@ dependencies = [
  "easy-parallel",
  "flexbuffers",
  "futures 0.3.21",
+ "futures-rustls",
  "futures-signals",
  "futures-test",
  "futures-util",
@@ -511,7 +500,7 @@ dependencies = [
  "rsasl",
  "rumqttc",
  "rust-argon2",
- "rustls",
+ "rustls 0.20.4",
  "rustls-pemfile",
  "serde",
  "serde_dhall",
@@ -743,6 +732,17 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "futures-rustls"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d383f0425d991a05e564c2f3ec150bd6dde863179c131dd60d8aa73a05434461"
+dependencies = [
+ "futures-io",
+ "rustls 0.20.4",
+ "webpki 0.22.0",
+]
+
 [[package]]
 name = "futures-signals"
 version = "0.3.24"
@@ -1515,7 +1515,7 @@ dependencies = [
  "tokio",
  "tokio-rustls",
  "url",
- "webpki",
+ "webpki 0.21.4",
 ]
 
 [[package]]
@@ -1539,8 +1539,20 @@ dependencies = [
  "base64",
  "log",
  "ring",
- "sct",
+ "sct 0.6.1",
- "webpki",
+ "webpki 0.21.4",
+]
+
+[[package]]
+name = "rustls"
+version = "0.20.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fbfeb8d0ddb84706bc597a5574ab8912817c52a397f819e5b614e2265206921"
+dependencies = [
+ "log",
+ "ring",
+ "sct 0.7.0",
+ "webpki 0.22.0",
 ]
 
 [[package]]
@@ -1583,6 +1595,16 @@ dependencies = [
  "untrusted",
 ]
 
+[[package]]
+name = "sct"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4"
+dependencies = [
+ "ring",
+ "untrusted",
+]
+
 [[package]]
 name = "serde"
 version = "1.0.136"
@@ -1966,9 +1988,9 @@ version = "0.22.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6"
 dependencies = [
- "rustls",
+ "rustls 0.19.1",
  "tokio",
- "webpki",
+ "webpki 0.21.4",
 ]
 
 [[package]]
@@ -2162,6 +2184,16 @@ dependencies = [
  "untrusted",
 ]
 
+[[package]]
+name = "webpki"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd"
+dependencies = [
+ "ring",
+ "untrusted",
+]
+
 [[package]]
 name = "wepoll-ffi"
 version = "0.1.2"

Cargo.toml

@@ -71,9 +71,9 @@ easy-parallel = "3.1.0"
 genawaiter = "0.99.1"
 
 # TLS
-rustls = "0.19"
+rustls = "0.20"
 rustls-pemfile = "0.2"
-async-rustls = "0.2"
+futures-rustls = "0.22.0"
 
 [build-dependencies]
 capnpc = "0.14.4"

src/connection.rs

@@ -7,8 +7,6 @@ use std::future::Future;
 
 use std::sync::Arc;
 
-use async_rustls::server::TlsStream;
-
 use slog::Logger;
 
 
@@ -17,6 +15,7 @@ use crate::api::Bootstrap;
 use crate::error::Result;
 
 use capnp_rpc::{rpc_twoparty_capnp, twoparty};
+use futures_rustls::server::TlsStream;
 
 use smol::io::split;
 

src/server.rs

@@ -20,8 +20,8 @@ use std::sync::Arc;
 
 use std::os::unix::io::AsRawFd;
 use std::path::Path;
-use async_rustls::TlsAcceptor;
+use futures_rustls::TlsAcceptor;
-use rustls::{Certificate, KeyLogFile, NoClientAuth, PrivateKey, ServerConfig};
+use rustls::{Certificate, KeyLogFile, PrivateKey, ServerConfig};
 
 use signal_hook::low_level::pipe as sigpipe;
 
@@ -60,23 +60,30 @@ pub fn serve_api_connections(log: Arc<Logger>, config: Config, db: Databases, nw
         .collect();
     info!(log, "Reading private key file");
     let mut keyfp = BufReader::new(File::open(&config.keyfile)?);
-    let mut tls_config = ServerConfig::new(Arc::new(NoClientAuth));
+    let mut tls_builder = ServerConfig::builder()
-    tls_config.key_log = Arc::new(KeyLogFile::new());
+        .with_safe_defaults()
-    if let Some(path) = std::env::var_os("SSLKEYLOGFILE") {
+        .with_no_client_auth()
-        let path = Path::new(&path);
+        ;
-        warn!(log, "TLS SECRET LOGGING ENABLED! This will write all connection secrets to file {}!",
+
-            path.display());
+    let mut tls_config;
-    }
     match rustls_pemfile::read_one(&mut keyfp)? {
         Some(rustls_pemfile::Item::PKCS8Key(key) | rustls_pemfile::Item::RSAKey(key)) => {
             let key = PrivateKey(key);
-            tls_config.set_single_cert(certs, key)?;
+            tls_config = tls_builder.with_single_cert(certs, key)?;
         }
         _ => {
             error!(log, "private key file must contain a PEM-encoded private key");
             return Ok(());
         }
     }
+
+    if let Some(path) = std::env::var_os("SSLKEYLOGFILE") {
+        let path = Path::new(&path);
+        warn!(log, "TLS SECRET LOGGING ENABLED! This will write all connection secrets to file {}!",
+            path.display());
+    }
+    tls_config.key_log = Arc::new(KeyLogFile::new());
+
     let tls_acceptor: TlsAcceptor = Arc::new(tls_config).into();
 
     // Bind to each address in config.listens.