Track 0.23 #1
Closed
Track 0.23 #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Notably this brings in pre-generated bindings for more platforms. See the upstream release notes[0][1] for more details. [0]: https://github.com/aws/aws-lc-rs/releases/tag/v1.6.3 [1]: https://github.com/aws/aws-lc-rs/releases/tag/v1.6.4
Bumps [h2](https://github.com/hyperium/h2) from 0.3.24 to 0.3.26. - [Release notes](https://github.com/hyperium/h2/releases) - [Changelog](https://github.com/hyperium/h2/blob/v0.3.26/CHANGELOG.md) - [Commits](hyperium/h2@v0.3.24...v0.3.26) --- updated-dependencies: - dependency-name: h2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
* rustls-pemfile 2.1.1 -> 2.1.2 * rustversion 1.0.14 -> 1.0.15 * der 0.7.8 -> 0.7.9
This prepares for a change where we will generate RSA certificate chains for three modulus sizes. The existing certificates are left as-is, meaning the rsa-2048 intermediate and CA are using RSA 3072 and 4096 respectively. This will be fixed in subsequent commits with a switch to new tooling.
These aren't used anywhere and are just a byproduct of the OpenSSL based generation script. We'll soon be rid of this script, so let's remove these files.
This updates the project dev dependency on rcgen from 0.12 to 0.13, fixing breaking API changes as appropriate.
This commit updates the rustls crate's `examples/internal` module with a new `test_ca` binary that generates the Rustls test PKI. It closely matches the existing `build-a-pki.sh` script that generates the existing test data, but does so in pure Rust using `rcgen`. It can be run with: ``` cargo run -p rustls --example test_ca ``` Unlike the existing script the RSA chain generation was switched to be uniform with the approach used for ECDSA. Previously there was one RSA chain with the EE/client certs using RSA 2048, the intermediate using 3072 and the root using 4096. This version instead uses the same key size for all certs in the chain, but generates three chains: one for RSA 2048, one for 3072, and one for 4096. The existing test-data is left as-is with this commit and will be regenerated in a subsequent commit.
This commit regenerates the test-ca PKI using the rcgen tooling. A couple of small adjustments to unit tests are required: 1. We have to adjust down some expected write sizes: previously the singular RSA chain had 2048, 3072 and 4096 bit keys and the larger modulus sizes ensured a certain unit test always wrote more than 4000 bytes of data. With the new 2048 chain having _only_ 2048 bit keys the expected write threshold needs to be adjusted down to 3000 bytes. 2. The expected subject common names expected in the client auth hint tests need adjusting for the new RSA root common names. 3. We introduce new RSA_3072 and RSA_4096 key sizes, using the newly generated test chains. Otherwise all existing tests continue to pass as expected without modification.
Rustls 0.23.2 added the groundwork for opting in to experimental post-quantum key exchange support using `X25519Kyber768Draft00`. Afterwards the remaining required pieces were released in a separate crate, `rustls-post-quantum`. As a result this commit moves the post-quantum KEX feature from the Future priorities to the Past priorities.
* anyhow 1.0.81 -> 1.0.82 * async-trait 0.1.79 -> 0.1.80 * time 0.3.34 -> 0.3.36
This allows callers to see if their handshake was Resumed, Full, or Full-with-HelloRetryRequest (which, broadly, are the three "cost" levels for handshakes). This is exposed as soon as it is known for sure.
The existing example should be easy enough to understand, but it's also easy enough to update for the current major releases for maximum clarity.
Have a test that demonstrates another route to reaching this state: a fully & cleanly closed connection.
We're seeing more of our deps move to this MSRV or higher (e.g. `webpki`, `rustls-platform-verifier`) and it's shipped in Debian stable. Time to move our MSRV to 1.63.
Of the form: ``` error: unnecessary closure used with `bool::then` --> rustls/src/tls13/mod.rs:42:9 | 42 | / (prev.common.hash_provider.algorithm() == self.common.hash_provider.algorithm()) 43 | | .then(|| prev) | |______________------------^ | | | help: use `then_some(..)` instead: `then_some(prev)` | = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#unnecessary_lazy_evaluations = note: `-D clippy::unnecessary-lazy-evaluations` implied by `-D warnings` = help: to override `-D warnings` add `#[allow(clippy::unnecessary_lazy_evaluations)]` ```
The macos-latest runner no longer comes with golang preinstalled. Note that the fips build is not technically certified on macos, but it is still nonetheless useful to defend the ability to do `cargo test --all-features` on developer laptops.
Updating hickory-resolver v0.24.0 -> v0.24.1 Updating serde v1.0.197 -> v1.0.198 Updating serde_derive v1.0.197 -> v1.0.198 Updating serde_json v1.0.115 -> v1.0.116 Updating aws-lc-rs v1.6.4 -> v1.7.0 Updating aws-lc-sys v0.14.1 -> v0.15.0 Updating hashbrown v0.13.2 -> v0.14.3
* serde v1.0.198 -> v1.0.199 * serde_derive v1.0.198 -> v1.0.199 * rustls-pki-types v1.4.1 -> v1.5.0 * hashbrown v0.14.3 -> v0.14.5
We rely on the msrv job for this check, and `clippy::incompatible_msrv` has false positives around tests, and non-core-crate programs like `bench`.
Previously this ignored all computation taking place in `ClientConnection::new`. That was a small amount in TLS1.2, but larger in TLS1.3. Indicative changes in the results look like: Before: > handshakes TLSv1_3 Rsa2048 TLS13_AES_128_GCM_SHA256 client server-auth no-resume 12802.14 handshake/s > handshakes TLSv1_3 Rsa2048 TLS13_AES_128_GCM_SHA256 server server-auth no-resume 2080.38 handshake/s After: > handshakes TLSv1_3 Rsa2048 TLS13_AES_128_GCM_SHA256 client server-auth no-resume 11518.38 handshake/s > handshakes TLSv1_3 Rsa2048 TLS13_AES_128_GCM_SHA256 server server-auth no-resume 2071.41 handshake/s
This is suite used for comparative handshake benchmarks with openssl.
Re-privatise `asn1_wrap`
Removes `stabilityDays` (since renamed to `minimumReleaseAge`[0]) This was holding PRs back for 3 days after the dep update was released. We want these PRs basically ASAP and can tolerate subsequent point releases if there are post-release issues that cause the upstream to cut follow-ups. [0]: https://docs.renovatebot.com/configuration-options/#minimumreleaseage
Adds `rebaseWhen`[0] with the `behind-base-branch` strategy. Previously we used the default (auto), but since our repo doesn't require branches be up-to-date for merge, the bot didn't bother rebasing with this strategy. Using behind-base-branch will do what we want here: have the bot rebase immediately when main updates. [0]: https://docs.renovatebot.com/configuration-options/#rebasewhen
Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.64 to 0.10.66. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](sfackler/rust-openssl@openssl-v0.10.64...openssl-v0.10.66) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
Tag version 0.23.12
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
seems @VendettaReborn is already working on https://github.com/Watfaq/rustls/tree/utls-0.23