feat: make Rustls the default TLS provider. (#2752)

* feat: Make Rustls the default TLS provider.

This switches the default TLS provider to Rustls. It keeps the `native-tls` feature with the same configuration it had before as the default TLS provider.

* fix: Fix TlsBackend default options.

* fix: Remove hyper-tls from the default-tls feature.

It's not used by Rustls.

* fix: Update precise dependencies to run MSRV.

* fix: Make explicit the dependency version for aws-lc-sys.

This allows Reqwest to build on nightly with a version of aws-lc-sys that works and still maintains MSRV.

* fix: Use aws-lc-rs as provider when both ring and aws-lc-rs are enabled.

This should be a corner case since only one feature should be enable at a time, but some checks enable all features. Favor aws-lc-rs when all features are enabled.

* fix: Fix feature config formatting.

* fix: Reverse precise dep ordering.

This ensures that the MSRV for all dependencies are met.

* fix: Pin hyper-rustls precise version.

* fix: Build `default_rustls_crypto_provider` only when rustls is enabled.

* fix: Make rustls-tls feature work without default-tls.

* fix: Remove unused dependency.

Update the MSRV check to use precise dependency versions.

* fix: Install Crypto Provider to run the HTTP3 tests.

Since both Ring and AWS-LC-RS are supported, we need to explicitly install the correct Crypto Provider before configuring the server.

* fix: Update nightly run with the precise version of aws-lc-sys.

* fix: Use prebuilt NASM compiled code on Windows.

See: https://github.com/aws/aws-lc-rs/blob/f0a6350abb247b413ffbf8ae8d8e1eb3bb1d4e66/aws-lc-sys/README.md?plain=1#L37

* fix: Update the precise version of aws-lc-rs for nightly builds.

* fix: Update all Windows targets to use prebuilt nasm binaries.

* fix: Set LIBCLANG_PATH for windows builds.

* fix: Install clang and nasm on Windows i686.

* fix: Run macman.exe after adding it to the path.

* fix: Add clang and nasm for Windows x86_64 GNU.

Author: calavera

.github/workflows/ci.yml

@@ -56,6 +56,9 @@ jobs:
 
     runs-on: ${{ matrix.os || 'ubuntu-latest' }}
 
+    env:
+      AWS_LC_SYS_PREBUILT_NASM: ${{ matrix.aws_lc_sys_prebuilt_nasm || 0 }}
+
     # The build matrix does not yet support 'allow failures' at job level.
     # See `jobs.nightly` for the active nightly job definition.
     strategy:
@@ -103,24 +106,28 @@ jobs:
             os: windows-latest
             target: x86_64-pc-windows-msvc
             features: "--features blocking,gzip,brotli,zstd,deflate,json,multipart,stream"
+            aws_lc_sys_prebuilt_nasm: 1
           - name: windows / stable-i686-msvc
             os: windows-latest
             target: i686-pc-windows-msvc
             features: "--features blocking,gzip,brotli,zstd,deflate,json,multipart,stream"
+            aws_lc_sys_prebuilt_nasm: 1
           - name: windows / stable-x86_64-gnu
             os: windows-latest
             rust: stable-x86_64-pc-windows-gnu
             target: x86_64-pc-windows-gnu
             features: "--features blocking,gzip,brotli,zstd,deflate,json,multipart,stream"
             package_name: mingw-w64-x86_64-gcc
             mingw64_path: "C:\\msys64\\mingw64\\bin"
+            aws_lc_sys_prebuilt_nasm: 1
           - name: windows / stable-i686-gnu
             os: windows-latest
             rust: stable-i686-pc-windows-gnu
             target: i686-pc-windows-gnu
             features: "--features blocking,gzip,brotli,zstd,deflate,json,multipart,stream"
             package_name: mingw-w64-i686-gcc
             mingw64_path: "C:\\msys64\\mingw32\\bin"
+            aws_lc_sys_prebuilt_nasm: 1
 
           - name: "feat.: default-tls disabled"
             features: "--no-default-features"
@@ -182,6 +189,26 @@ jobs:
         if: matrix.mingw64_path
         shell: bash
 
+      - name: Install i686 Clang & NASM
+        if: ${{ matrix.target == 'i686-pc-windows-gnu' }}
+        run: pacman.exe -Sy --noconfirm mingw-w64-i686-clang mingw-w64-i686-nasm
+        shell: bash
+
+      - name: Install x86_64 Clang & NASM
+        if: ${{ matrix.target == 'x86_64-pc-windows-gnu' }}
+        run: pacman.exe -Sy --noconfirm mingw-w64-x86_64-clang mingw-w64-x86_64-nasm
+        shell: bash
+
+      - name: Add libclang to the environment for windows i686-gnu
+        run: echo "LIBCLANG_PATH=C:\msys64\mingw32\bin" >> $env:GITHUB_ENV
+        if: ${{ matrix.target == 'i686-pc-windows-gnu' }}
+        shell: bash
+
+      - name: Add libclang to the environment for windows x86_64-gnu
+        run: echo "LIBCLANG_PATH=C:\msys64\mingw64\bin" >> $env:GITHUB_ENV
+        if: ${{ matrix.target == 'x86_64-pc-windows-gnu' }}
+        shell: bash
+
       - name: Update gcc
         if: matrix.package_name
         run: pacman.exe -Sy --noconfirm ${{ matrix.package_name }}
@@ -219,7 +246,7 @@ jobs:
       - uses: Swatinem/rust-cache@v2
 
       - name: check --feature-powerset
-        run: cargo hack --no-dev-deps check --feature-powerset --depth 2 --skip http3,__tls,__rustls,__rustls-ring,native-tls-vendored,trust-dns
+        run: cargo hack --no-dev-deps check --feature-powerset --depth 2 --skip http3,__tls,__rustls,__rustls-ring,__rustls-aws-lc-rs,native-tls-vendored,trust-dns
         env:
           RUSTFLAGS: "-D dead_code -D unused_imports"
 
@@ -284,6 +311,8 @@ jobs:
           cargo clean
           cargo update -Z minimal-versions
           cargo update -p proc-macro2 --precise 1.0.87
+          cargo update -p aws-lc-rs --precise 1.13.1
+          cargo update -p aws-lc-sys --precise 0.29.0
           cargo update -p openssl-sys
           cargo update -p openssl
           cargo check
@@ -314,6 +343,23 @@ jobs:
         with:
           toolchain: ${{ steps.metadata.outputs.msrv }}
 
+       - name: Fix dependency versions
+         run: |
+           cargo update
+           cargo update -p log --precise 0.4.18
+           cargo update -p tokio --precise 1.29.1
+           cargo update -p tokio-util --precise 0.7.11
+           cargo update -p idna_adapter --precise 1.1.0
+           cargo update -p hashbrown --precise 0.15.0
+           cargo update -p native-tls --precise 0.2.13
+           cargo update -p once_cell --precise 1.20.3
+           cargo update -p tracing-core --precise 0.1.33
+           cargo update -p hyper-rustls --precise 0.27.2
+           cargo update -p tokio-rustls --precise 0.26.0
+           cargo update -p rustls --precise 0.23.19
+           cargo update -p aws-lc-rs --precise 1.13.1
+           cargo update -p aws-lc-sys --precise 0.29.0
+
       - uses: Swatinem/rust-cache@v2
 
       - name: Check

Cargo.toml

@@ -36,14 +36,11 @@ features = [
 [features]
 default = ["default-tls", "charset", "http2", "system-proxy"]
 
-# Note: this doesn't enable the 'native-tls' feature, which adds specific
-# functionality for it.
-default-tls = ["dep:hyper-tls", "dep:native-tls-crate", "__tls", "dep:tokio-native-tls"]
+default-tls = ["rustls-tls"]
 
 http2 = ["h2", "hyper/http2", "hyper-util/http2", "hyper-rustls?/http2"]
 
-# Enables native-tls specific functionality not available by default.
-native-tls = ["default-tls"]
+native-tls = ["dep:hyper-tls", "dep:native-tls-crate", "__tls", "dep:tokio-native-tls"]
 native-tls-alpn = ["native-tls", "native-tls-crate?/alpn", "hyper-tls?/alpn"]
 native-tls-vendored = ["native-tls", "native-tls-crate?/vendored"]
 
@@ -54,9 +51,9 @@ rustls-tls-manual-roots-no-provider = ["__rustls"]
 rustls-tls-webpki-roots-no-provider = ["dep:webpki-roots", "hyper-rustls?/webpki-tokio", "__rustls"]
 rustls-tls-native-roots-no-provider = ["dep:rustls-native-certs", "hyper-rustls?/native-tokio", "__rustls"]
 
-rustls-tls-manual-roots = ["rustls-tls-manual-roots-no-provider", "__rustls-ring"]
-rustls-tls-webpki-roots = ["rustls-tls-webpki-roots-no-provider", "__rustls-ring"]
-rustls-tls-native-roots = ["rustls-tls-native-roots-no-provider", "__rustls-ring"]
+rustls-tls-manual-roots = ["rustls-tls-manual-roots-no-provider", "__rustls-aws-lc-rs"]
+rustls-tls-webpki-roots = ["rustls-tls-webpki-roots-no-provider", "__rustls-aws-lc-rs"]
+rustls-tls-native-roots = ["rustls-tls-native-roots-no-provider", "__rustls-aws-lc-rs"]
 
 blocking = ["dep:futures-channel", "futures-channel?/sink", "dep:futures-util", "futures-util?/io", "futures-util?/sink", "tokio/sync"]
 
@@ -104,6 +101,7 @@ __tls = ["dep:rustls-pki-types", "tokio/io-util"]
 # Equivalent to rustls-tls-manual-roots but shorter :)
 __rustls = ["dep:hyper-rustls", "dep:tokio-rustls", "dep:rustls", "__tls"]
 __rustls-ring = ["hyper-rustls?/ring", "tokio-rustls?/ring", "rustls?/ring", "quinn?/ring"]
+__rustls-aws-lc-rs = ["hyper-rustls?/aws-lc-rs", "tokio-rustls?/aws-lc-rs", "rustls?/aws-lc-rs", "quinn?/aws-lc-rs"]
 
 [dependencies]
 base64 = "0.22"
@@ -142,12 +140,12 @@ pin-project-lite = "0.2.11"
 rustls-pki-types = { version = "1.9.0", features = ["std"], optional = true }
 mime = { version = "0.3.16", optional = true }
 
-## default-tls
+# native-tls
 hyper-tls = { version = "0.6", optional = true }
 native-tls-crate = { version = "0.2.10", optional = true, package = "native-tls" }
 tokio-native-tls = { version = "0.3.0", optional = true }
 
-# rustls-tls
+# default-tls and rustls-tls
 hyper-rustls = { version = "0.27.0", default-features = false, optional = true, features = ["http1", "tls12"] }
 rustls = { version = "0.23.4", optional = true, default-features = false, features = ["std", "tls12"] }
 tokio-rustls = { version = "0.26", optional = true, default-features = false, features = ["tls12"] }

src/async_impl/client.rs

@@ -51,7 +51,7 @@ use http::header::{
 use http::uri::Scheme;
 use http::Uri;
 use hyper_util::client::legacy::connect::HttpConnector;
-#[cfg(feature = "default-tls")]
+#[cfg(feature = "native-tls")]
 use native_tls_crate::TlsConnector;
 use pin_project_lite::pin_project;
 #[cfg(feature = "http3")]
@@ -487,8 +487,8 @@ impl ClientBuilder {
 
             #[cfg(feature = "__tls")]
             match config.tls {
-                #[cfg(feature = "default-tls")]
-                TlsBackend::Default => {
+                #[cfg(feature = "native-tls")]
+                TlsBackend::NativeTls => {
                     let mut tls = TlsConnector::builder();
 
                     #[cfg(all(feature = "native-tls-alpn", not(feature = "http3")))]
@@ -554,7 +554,7 @@ impl ClientBuilder {
                         tls.max_protocol_version(Some(protocol));
                     }
 
-                    ConnectorBuilder::new_default_tls(
+                    ConnectorBuilder::new_native_tls(
                         http,
                         tls,
                         proxies.clone(),
@@ -578,7 +578,7 @@ impl ClientBuilder {
                     )?
                 }
                 #[cfg(feature = "native-tls")]
-                TlsBackend::BuiltNativeTls(conn) => ConnectorBuilder::from_built_default_tls(
+                TlsBackend::BuiltNativeTls(conn) => ConnectorBuilder::from_built_native_tls(
                     http,
                     conn,
                     proxies.clone(),
@@ -725,13 +725,7 @@ impl ClientBuilder {
                     // If not, we use ring.
                     let provider = rustls::crypto::CryptoProvider::get_default()
                         .map(|arc| arc.clone())
-                        .unwrap_or_else(|| {
-                            #[cfg(not(feature = "__rustls-ring"))]
-                            panic!("No provider set");
-
-                            #[cfg(feature = "__rustls-ring")]
-                            Arc::new(rustls::crypto::ring::default_provider())
-                        });
+                        .unwrap_or_else(default_rustls_crypto_provider);
 
                     // Build TLS config
                     let signature_algorithms = provider.signature_verification_algorithms;
@@ -2014,7 +2008,7 @@ impl ClientBuilder {
     #[cfg(feature = "native-tls")]
     #[cfg_attr(docsrs, doc(cfg(feature = "native-tls")))]
     pub fn use_native_tls(mut self) -> ClientBuilder {
-        self.config.tls = TlsBackend::Default;
+        self.config.tls = TlsBackend::NativeTls;
         self
     }
 
@@ -2367,6 +2361,18 @@ impl Default for Client {
     }
 }
 
+#[cfg(feature = "__rustls")]
+fn default_rustls_crypto_provider() -> Arc<rustls::crypto::CryptoProvider> {
+    #[cfg(not(any(feature = "__rustls-ring", feature = "__rustls-aws-lc-rs")))]
+    panic!("No provider set");
+
+    #[cfg(all(feature = "__rustls-ring", not(feature = "__rustls-aws-lc-rs")))]
+    return Arc::new(rustls::crypto::ring::default_provider());
+
+    #[cfg(feature = "__rustls-aws-lc-rs")]
+    Arc::new(rustls::crypto::aws_lc_rs::default_provider())
+}
+
 impl Client {
     /// Constructs a new `Client`.
     ///