Skip to content

Unify TLS on rustls and upgrade remaining dependencies#433

Merged
thinkingfish merged 7 commits intomainfrom
rustls
Mar 22, 2026
Merged

Unify TLS on rustls and upgrade remaining dependencies#433
thinkingfish merged 7 commits intomainfrom
rustls

Conversation

@thinkingfish
Copy link
Copy Markdown
Member

@thinkingfish thinkingfish commented Mar 21, 2026

Summary

  • Replace BoringSSL/OpenSSL/native-tls with rustls as the sole TLS provider, eliminating ~250 lines of #[cfg]-gated code and all C/C++ TLS dependencies
  • Upgrade remaining major dependencies: tonic 0.14, prost 0.14, rand 0.10, ratelimit 1.0
  • Migrate deprecated momento from_env_var to from_env_var_v2
  • Remove 5 unused dependencies (mio, pin-project, sha1, slab, url-escape)

Changes

  • cdd83ab refactor: replace boringssl/openssl with rustls for all TLS
  • c74e6df fix: migrate from deprecated CredentialProvider::from_env_var to from_env_var_v2
  • 7221182 chore: upgrade tonic 0.12 -> 0.14, prost 0.13 -> 0.14
  • bc00933 chore: upgrade rand 0.9 -> 0.10, rand_distr 0.5 -> 0.6, rand_xoshiro 0.7 -> 0.8
  • 6ff43c0 chore: switch ratelimit from git dep to crates.io 1.0.0
  • 6afb3cc chore: remove unused dependencies (mio, pin-project, sha1, slab, url-escape)

Test plan

  • cargo build succeeds with no feature flags (BoringSSL/OpenSSL features removed)
  • TLS connections work (memcache, ping ASCII clients via rustls)
  • mTLS with client certs works
  • verify_hostname: false config option works
  • Redis TLS (now rustls) connects successfully
  • MySQL/sqlx TLS (now rustls) connects successfully
  • Momento clients authenticate with from_env_var_v2
  • gRPC ping client works with tonic 0.14

thinkingfish and others added 6 commits March 20, 2026 23:20
@thinkingfish @claude
refactor: replace boringssl/openssl with rustls for all TLS
cdd83ab 
- Remove boring, boring-sys, tokio-boring, openssl, openssl-src,
  openssl-sys, tokio-openssl, foreign-types-shared dependencies
- Remove boringssl/openssl feature flags entirely
- Switch pelikan-net to git dep (0.5.0 uses rustls natively)
- Switch redis from tls-native-tls to tls-rustls
- Switch sqlx from tls-native-tls to tls-rustls
- Add rustls-pemfile for PEM loading in Connector
- Rewrite src/net/mod.rs: eliminate ~250 lines of #[cfg]-gated
  dual-provider code, replace with single rustls implementation
- Support mTLS, custom CA, verify_hostname, SNI config options

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@thinkingfish @claude
fix: migrate from deprecated CredentialProvider::from_env_var to from…
c74e6df 
…_env_var_v2

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@thinkingfish @claude
chore: upgrade tonic 0.12 -> 0.14, prost 0.13 -> 0.14
7221182 
tonic-build split into tonic-prost-build (build dep) and tonic-prost
(runtime dep for ProstCodec). compile_protos API unchanged.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@thinkingfish @claude
chore: upgrade rand 0.9 -> 0.10, rand_distr 0.5 -> 0.6, rand_xoshiro …
bc00933 
…0.7 -> 0.8

RngCore removed from rand; replaced with Rng (trait object bound) and
RngExt (extension methods like fill, random, random_range).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@thinkingfish @claude
chore: switch ratelimit from git dep to crates.io 1.0.0
6ff43c0 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@thinkingfish @claude
chore: remove unused dependencies (mio, pin-project, sha1, slab, url-…
6afb3cc 
…escape)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 21, 2026
View reviewed changes
Comment thread src/net/mod.rs
#[cfg(feature = "openssl")]
OpensslTlsTcp(tokio_openssl::SslStream<tokio::net::TcpStream>),
Tls(tokio_rustls::client::TlsStream<tokio::net::TcpStream>),
}

Check warning

Code scanning / clippy

large size difference between variants Warning

large size difference between variants
Comment thread src/net/mod.rs
#[cfg(feature = "openssl")]
OpensslTlsTcp(tokio_openssl::SslStream<tokio::net::TcpStream>),
Tls(tokio_rustls::client::TlsStream<tokio::net::TcpStream>),
}

Check warning

Code scanning / clippy

large size difference between variants Warning

large size difference between variants
brayniac
brayniac reviewed Mar 22, 2026
View reviewed changes
Comment thread docs/plans/2026-03-20-boringssl-to-rustls-design.md Outdated
@@ -0,0 +1,92 @@
# Replace BoringSSL/OpenSSL with rustls
Copy link
Copy Markdown
Contributor

@brayniac brayniac Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this intended to be included?

brayniac
brayniac approved these changes Mar 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@brayniac brayniac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the plan markdown can be removed. Otherwise LGTM

@thinkingfish @claude
chore: remove design plan documents
c0fcd90 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@thinkingfish thinkingfish merged commit d70cb3e into main Mar 22, 2026
24 checks passed
@thinkingfish thinkingfish deleted the rustls branch March 22, 2026 21:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brayniac brayniac brayniac approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@thinkingfish @brayniac @github-advanced-security