feat: update rustls to 0.21.0 and tokio-rustls to 0.24 (bytebeamio#606)

Author: CGQAQ

.gitignore

@@ -13,3 +13,4 @@ perf.data*
 node_modules
 cachegrind.out
 plot
+.uuid

Cargo.lock

@@ -34,6 +34,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
     - Refactored `eventloop::network_connect` to allow setting proxy
     - Added proxy options to `MqttOptions`
 
+ - Added support for TLS certificates containing IP addresses
+ - Added support for RFC8446 C.4 client tracking prevention.
+
 ### Changed
 - Remove `Box` on `Event::Incoming`
 

rumqttc/CHANGELOG.md

@@ -15,7 +15,7 @@ rustdoc-args = ["--cfg", "docsrs"]
 
 [features]
 default = ["use-rustls"]
-use-rustls = ["dep:tokio-rustls", "dep:rustls-pemfile", "dep:rustls-native-certs"]
+use-rustls = ["dep:tokio-rustls", "dep:rustls-webpki", "dep:rustls-pemfile", "dep:rustls-native-certs"]
 use-native-tls = ["dep:tokio-native-tls", "dep:native-tls"]
 websocket = ["dep:async-tungstenite", "dep:ws_stream_tungstenite", "dep:http"]
 proxy = ["dep:async-http-proxy"]
@@ -30,12 +30,13 @@ thiserror = "1"
 
 # Optional
 # rustls
-tokio-rustls = { version = "0.23", optional = true }
+tokio-rustls = { version = "0.24", optional = true }
+rustls-webpki = { version = "0.100.1", optional = true }
 rustls-pemfile = { version = "1", optional = true }
 rustls-native-certs = { version = "0.6", optional = true }
 # websockets
-async-tungstenite = { version = "0.16", default-features = false, features = ["tokio-rustls-native-certs"], optional = true }
-ws_stream_tungstenite = { version = "0.7", default-features = false, features = ["tokio_io"], optional = true }
+async-tungstenite = { version = "0.22", default-features = false, features = ["tokio-rustls-native-certs"], optional = true }
+ws_stream_tungstenite = { version = "0.10", default-features = false, features = ["tokio_io"], optional = true }
 http = { version = "0.2", optional = true }
 # native-tls
 tokio-native-tls = { version = "0.3.0", optional = true }
@@ -50,7 +51,7 @@ color-backtrace = "0.4"
 matches = "0.1"
 pretty_assertions = "1"
 pretty_env_logger = "0.4"
-rustls = "0.20"
+rustls = "0.21"
 rustls-native-certs = "0.6"
 serde = { version = "1", features = ["derive"] }
 tokio = { version = "1", features = ["full", "macros"] }

rumqttc/Cargo.toml

@@ -5,7 +5,7 @@ use std::error::Error;
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn Error>> {
     use rumqttc::{self, AsyncClient, Event, Incoming, MqttOptions, Transport};
-    use rustls::ClientConfig;
+    use tokio_rustls::rustls::ClientConfig;
 
     pretty_env_logger::init();
     color_backtrace::install();
@@ -15,9 +15,9 @@ async fn main() -> Result<(), Box<dyn Error>> {
     mqttoptions.set_credentials("username", "password");
 
     // Use rustls-native-certs to load root certificates from the operating system.
-    let mut root_cert_store = rustls::RootCertStore::empty();
+    let mut root_cert_store = tokio_rustls::rustls::RootCertStore::empty();
     for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") {
-        root_cert_store.add(&rustls::Certificate(cert.0))?;
+        root_cert_store.add(&tokio_rustls::rustls::Certificate(cert.0))?;
     }
 
     let client_config = ClientConfig::builder()

rumqttc/examples/tls.rs

@@ -7,8 +7,6 @@ use tokio_rustls::rustls::{
     Certificate, ClientConfig, OwnedTrustAnchor, PrivateKey, RootCertStore, ServerName,
 };
 #[cfg(feature = "use-rustls")]
-use tokio_rustls::webpki;
-#[cfg(feature = "use-rustls")]
 use tokio_rustls::TlsConnector as RustlsConnector;
 
 #[cfg(feature = "use-rustls")]
@@ -44,8 +42,8 @@ pub enum Error {
     /// Certificate/Name validation error
     #[error("Web Pki: {0}")]
     WebPki(#[from] webpki::Error),
-    #[cfg(feature = "use-rustls")]
     /// Invalid DNS name
+    #[cfg(feature = "use-rustls")]
     #[error("DNS name")]
     DNSName(#[from] InvalidDnsNameError),
     #[cfg(feature = "use-rustls")]

rumqttc/src/tls.rs

@@ -18,7 +18,8 @@ flume = "0.10.9"
 slab = "0.4.3"
 thiserror = "1.0.24"
 tokio-util = { version = "0.7", features = ["codec"], optional = true }
-tokio-rustls =  { version = "0.23.0", optional = true }
+tokio-rustls = { version = "0.24", optional = true }
+rustls-webpki = { version = "0.100.1", optional = true }
 tokio-native-tls = { version = "0.3", optional = true }
 rustls-pemfile = { version = "1", optional = true }
 tokio-tungstenite = { version = "0.15.0", optional = true }
@@ -36,7 +37,7 @@ axum = "0.6.4"
 
 [features]
 default = ["use-rustls"]
-use-rustls = ["dep:tokio-rustls", "dep:rustls-pemfile", "dep:x509-parser"]
+use-rustls = ["dep:tokio-rustls", "dep:rustls-webpki", "dep:rustls-pemfile", "dep:x509-parser"]
 use-native-tls = ["dep:tokio-native-tls", "dep:x509-parser"]
 websockets = ["dep:tokio-tungstenite", "dep:websocket-codec", "dep:tokio-util", "dep:futures-util"]
 validate-tenant-prefix = []

rumqttd/Cargo.toml

@@ -21,7 +21,7 @@ use tokio_rustls::{
         client::InvalidDnsNameError, Certificate, ClientConfig, Error as TLSError,
         OwnedTrustAnchor, PrivateKey, RootCertStore, ServerName,
     },
-    webpki, TlsConnector,
+    TlsConnector,
 };
 use tracing::*;
 
@@ -319,7 +319,7 @@ pub enum BridgeError {
     Network(#[from] network::Error),
     #[error("Web Pki - {0}")]
     #[cfg(feature = "use-rustls")]
-    WebPki(#[from] tokio_rustls::webpki::Error),
+    WebPki(#[from] webpki::Error),
     #[error("DNS name - {0}")]
     #[cfg(feature = "use-rustls")]
     DNSName(#[from] InvalidDnsNameError),

rumqttd/src/link/bridge.rs

@@ -219,7 +219,7 @@ impl TLSAcceptor {
 
             ServerConfig::builder()
                 .with_safe_defaults()
-                .with_client_cert_verifier(AllowAnyAuthenticatedClient::new(store))
+                .with_client_cert_verifier(Arc::new(AllowAnyAuthenticatedClient::new(store)))
                 .with_single_cert(certs, key)?
         };