kbs-client: Add native-tls feature#1387
Conversation
f91c557 to
c7480a4
Compare
Xynnn007
left a comment
There was a problem hiding this comment.
hey @iroykaufman Do you have any scenarios where only openssl can work, while default tls cannot?
Historically, we bring in rust-tls because at that time openssl cannot be statically compiled. But now it supports, thus we can consider to fully turn to openssl if possible.
OpenSSL supports FIPS and PQC, so it can be beneficial to use OpenSSL instead of rust-tls because of those standards. |
ece8779 to
ed6a14d
Compare
Sounds good. In future we might consider fully embrace openssl. |
73611e4 to
dd12f33
Compare
|
this looks similar to what I recently evaluated with the question: can I build everything with the same crypto implementation/configuration. this work makes sense but it looks the PR topic is a bit off (more than just |
My understanding is that we cannot build everything using |
It's because reqwest is set to use
But I don't think there's a non-hacky way to set a TLS implementation at workspace level. |
dd12f33 to
6863538
Compare
Oh sorry, I only took a quick look and it looked like there's changes beyond what |
Our immediate focus for now was kbs-client but if desired it shouldn't be much work to extend to other crates. What we didn't know before raising was
, so I don't know if going all-native-tls is too drastic for now/breaks other things. BTW the CI failures seem unrelated but I haven't been contributing for a while so I could be wrong |
Let's start with the kbs-client crate. I think it's acceptable. Going fully to native-tls might be our target but NOT this PR's responsibility. We will take a try in later PRs. I think @mythi cares about, is that it looks like the PR have touched some codes that might not be related to the PR's target. I did not take much look on the PR as it's still draft. And I'd like to offer help when it gets ready.
I have retriggered the CI. The CI is not always to be happy, and we're working on those issues. |
| default = ["reqwest/default-tls"] | ||
|
|
||
| native-tls = ["reqwest/native-tls", "kbs_protocol/openssl"] | ||
|
|
There was a problem hiding this comment.
can we add another feature named default-tls = ["reqwest/default-tls"] and default= ["default-tls"] ? I think a crate-level feature controls tls suites makes sense, wdyt?
There was a problem hiding this comment.
I think it's a good idea. It also allows us to use --no-default-features with default-tls.
Co-authored-by: Jakob Naucke <jnaucke@redhat.com> Signed-off-by: Roy Kaufman <rkaufman@redhat.com>
6863538 to
95b4a81
Compare
Xynnn007
left a comment
There was a problem hiding this comment.
LGTM. Thanks! @iroykaufman @Jakob-Naucke
fitzthum
left a comment
There was a problem hiding this comment.
LGTM
can have a bigger discussion about our crypto backends but this PR seems fine
This PR introduces an option to use
native-tlswithkbs-client.This can be beneficial for projects that want to use
kbs-clientas a dependency for API calls to KBS, but still want to usenative-tls.