mirror of
https://github.com/meilisearch/meilisearch.git
synced 2024-11-25 19:45:05 +08:00
Update rustls as much as possible
This commit is contained in:
parent
7a292b572a
commit
1bfb16386c
92
Cargo.lock
generated
92
Cargo.lock
generated
@ -149,11 +149,11 @@ dependencies = [
|
|||||||
"futures-core",
|
"futures-core",
|
||||||
"impl-more",
|
"impl-more",
|
||||||
"pin-project-lite",
|
"pin-project-lite",
|
||||||
|
"rustls-pki-types",
|
||||||
"tokio",
|
"tokio",
|
||||||
"tokio-rustls 0.24.1",
|
"tokio-rustls",
|
||||||
"tokio-util",
|
"tokio-util",
|
||||||
"tracing",
|
"tracing",
|
||||||
"webpki-roots 0.25.3",
|
|
||||||
]
|
]
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
@ -2461,12 +2461,12 @@ dependencies = [
|
|||||||
"http 1.1.0",
|
"http 1.1.0",
|
||||||
"hyper",
|
"hyper",
|
||||||
"hyper-util",
|
"hyper-util",
|
||||||
"rustls 0.23.11",
|
"rustls",
|
||||||
"rustls-pki-types",
|
"rustls-pki-types",
|
||||||
"tokio",
|
"tokio",
|
||||||
"tokio-rustls 0.26.0",
|
"tokio-rustls",
|
||||||
"tower-service",
|
"tower-service",
|
||||||
"webpki-roots 0.26.1",
|
"webpki-roots",
|
||||||
]
|
]
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
@ -3395,8 +3395,9 @@ dependencies = [
|
|||||||
"regex",
|
"regex",
|
||||||
"reqwest",
|
"reqwest",
|
||||||
"roaring",
|
"roaring",
|
||||||
"rustls 0.21.12",
|
"rustls",
|
||||||
"rustls-pemfile 1.0.4",
|
"rustls-pemfile",
|
||||||
|
"rustls-pki-types",
|
||||||
"segment",
|
"segment",
|
||||||
"serde",
|
"serde",
|
||||||
"serde_json",
|
"serde_json",
|
||||||
@ -4272,7 +4273,7 @@ dependencies = [
|
|||||||
"quinn-proto",
|
"quinn-proto",
|
||||||
"quinn-udp",
|
"quinn-udp",
|
||||||
"rustc-hash",
|
"rustc-hash",
|
||||||
"rustls 0.23.11",
|
"rustls",
|
||||||
"thiserror",
|
"thiserror",
|
||||||
"tokio",
|
"tokio",
|
||||||
"tracing",
|
"tracing",
|
||||||
@ -4288,7 +4289,7 @@ dependencies = [
|
|||||||
"rand",
|
"rand",
|
||||||
"ring",
|
"ring",
|
||||||
"rustc-hash",
|
"rustc-hash",
|
||||||
"rustls 0.23.11",
|
"rustls",
|
||||||
"slab",
|
"slab",
|
||||||
"thiserror",
|
"thiserror",
|
||||||
"tinyvec",
|
"tinyvec",
|
||||||
@ -4516,15 +4517,15 @@ dependencies = [
|
|||||||
"percent-encoding",
|
"percent-encoding",
|
||||||
"pin-project-lite",
|
"pin-project-lite",
|
||||||
"quinn",
|
"quinn",
|
||||||
"rustls 0.23.11",
|
"rustls",
|
||||||
"rustls-pemfile 2.1.2",
|
"rustls-pemfile",
|
||||||
"rustls-pki-types",
|
"rustls-pki-types",
|
||||||
"serde",
|
"serde",
|
||||||
"serde_json",
|
"serde_json",
|
||||||
"serde_urlencoded",
|
"serde_urlencoded",
|
||||||
"sync_wrapper",
|
"sync_wrapper",
|
||||||
"tokio",
|
"tokio",
|
||||||
"tokio-rustls 0.26.0",
|
"tokio-rustls",
|
||||||
"tokio-util",
|
"tokio-util",
|
||||||
"tower-service",
|
"tower-service",
|
||||||
"url",
|
"url",
|
||||||
@ -4532,7 +4533,7 @@ dependencies = [
|
|||||||
"wasm-bindgen-futures",
|
"wasm-bindgen-futures",
|
||||||
"wasm-streams",
|
"wasm-streams",
|
||||||
"web-sys",
|
"web-sys",
|
||||||
"webpki-roots 0.26.1",
|
"webpki-roots",
|
||||||
"winreg",
|
"winreg",
|
||||||
]
|
]
|
||||||
|
|
||||||
@ -4682,18 +4683,6 @@ dependencies = [
|
|||||||
"windows-sys 0.52.0",
|
"windows-sys 0.52.0",
|
||||||
]
|
]
|
||||||
|
|
||||||
[[package]]
|
|
||||||
name = "rustls"
|
|
||||||
version = "0.21.12"
|
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
||||||
checksum = "3f56a14d1f48b391359b22f731fd4bd7e43c97f3c50eee276f3aa09c94784d3e"
|
|
||||||
dependencies = [
|
|
||||||
"log",
|
|
||||||
"ring",
|
|
||||||
"rustls-webpki 0.101.7",
|
|
||||||
"sct",
|
|
||||||
]
|
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "rustls"
|
name = "rustls"
|
||||||
version = "0.23.11"
|
version = "0.23.11"
|
||||||
@ -4704,20 +4693,11 @@ dependencies = [
|
|||||||
"once_cell",
|
"once_cell",
|
||||||
"ring",
|
"ring",
|
||||||
"rustls-pki-types",
|
"rustls-pki-types",
|
||||||
"rustls-webpki 0.102.5",
|
"rustls-webpki",
|
||||||
"subtle",
|
"subtle",
|
||||||
"zeroize",
|
"zeroize",
|
||||||
]
|
]
|
||||||
|
|
||||||
[[package]]
|
|
||||||
name = "rustls-pemfile"
|
|
||||||
version = "1.0.4"
|
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
||||||
checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c"
|
|
||||||
dependencies = [
|
|
||||||
"base64 0.21.7",
|
|
||||||
]
|
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "rustls-pemfile"
|
name = "rustls-pemfile"
|
||||||
version = "2.1.2"
|
version = "2.1.2"
|
||||||
@ -4734,16 +4714,6 @@ version = "1.7.0"
|
|||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "976295e77ce332211c0d24d92c0e83e50f5c5f046d11082cea19f3df13a3562d"
|
checksum = "976295e77ce332211c0d24d92c0e83e50f5c5f046d11082cea19f3df13a3562d"
|
||||||
|
|
||||||
[[package]]
|
|
||||||
name = "rustls-webpki"
|
|
||||||
version = "0.101.7"
|
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
||||||
checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765"
|
|
||||||
dependencies = [
|
|
||||||
"ring",
|
|
||||||
"untrusted",
|
|
||||||
]
|
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "rustls-webpki"
|
name = "rustls-webpki"
|
||||||
version = "0.102.5"
|
version = "0.102.5"
|
||||||
@ -4792,16 +4762,6 @@ version = "1.2.0"
|
|||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
|
checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
|
||||||
|
|
||||||
[[package]]
|
|
||||||
name = "sct"
|
|
||||||
version = "0.7.1"
|
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
||||||
checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414"
|
|
||||||
dependencies = [
|
|
||||||
"ring",
|
|
||||||
"untrusted",
|
|
||||||
]
|
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "seahash"
|
name = "seahash"
|
||||||
version = "4.1.0"
|
version = "4.1.0"
|
||||||
@ -5482,23 +5442,13 @@ dependencies = [
|
|||||||
"syn 2.0.60",
|
"syn 2.0.60",
|
||||||
]
|
]
|
||||||
|
|
||||||
[[package]]
|
|
||||||
name = "tokio-rustls"
|
|
||||||
version = "0.24.1"
|
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
||||||
checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081"
|
|
||||||
dependencies = [
|
|
||||||
"rustls 0.21.12",
|
|
||||||
"tokio",
|
|
||||||
]
|
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "tokio-rustls"
|
name = "tokio-rustls"
|
||||||
version = "0.26.0"
|
version = "0.26.0"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4"
|
checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"rustls 0.23.11",
|
"rustls",
|
||||||
"rustls-pki-types",
|
"rustls-pki-types",
|
||||||
"tokio",
|
"tokio",
|
||||||
]
|
]
|
||||||
@ -5804,13 +5754,13 @@ dependencies = [
|
|||||||
"flate2",
|
"flate2",
|
||||||
"log",
|
"log",
|
||||||
"once_cell",
|
"once_cell",
|
||||||
"rustls 0.23.11",
|
"rustls",
|
||||||
"rustls-pki-types",
|
"rustls-pki-types",
|
||||||
"serde",
|
"serde",
|
||||||
"serde_json",
|
"serde_json",
|
||||||
"socks",
|
"socks",
|
||||||
"url",
|
"url",
|
||||||
"webpki-roots 0.26.1",
|
"webpki-roots",
|
||||||
]
|
]
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
@ -6035,12 +5985,6 @@ dependencies = [
|
|||||||
"wasm-bindgen",
|
"wasm-bindgen",
|
||||||
]
|
]
|
||||||
|
|
||||||
[[package]]
|
|
||||||
name = "webpki-roots"
|
|
||||||
version = "0.25.3"
|
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
||||||
checksum = "1778a42e8b3b90bff8d0f5032bf22250792889a5cdc752aa0020c84abe3aaf10"
|
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "webpki-roots"
|
name = "webpki-roots"
|
||||||
version = "0.26.1"
|
version = "0.26.1"
|
||||||
|
@ -17,7 +17,7 @@ actix-cors = "0.7.0"
|
|||||||
actix-http = { version = "3.8.0", default-features = false, features = [
|
actix-http = { version = "3.8.0", default-features = false, features = [
|
||||||
"compress-brotli",
|
"compress-brotli",
|
||||||
"compress-gzip",
|
"compress-gzip",
|
||||||
"rustls-0_21",
|
"rustls-0_23",
|
||||||
] }
|
] }
|
||||||
actix-utils = "3.0.1"
|
actix-utils = "3.0.1"
|
||||||
actix-web = { version = "4.8.0", default-features = false, features = [
|
actix-web = { version = "4.8.0", default-features = false, features = [
|
||||||
@ -25,7 +25,7 @@ actix-web = { version = "4.8.0", default-features = false, features = [
|
|||||||
"compress-brotli",
|
"compress-brotli",
|
||||||
"compress-gzip",
|
"compress-gzip",
|
||||||
"cookies",
|
"cookies",
|
||||||
"rustls-0_21",
|
"rustls-0_23",
|
||||||
] }
|
] }
|
||||||
anyhow = { version = "1.0.86", features = ["backtrace"] }
|
anyhow = { version = "1.0.86", features = ["backtrace"] }
|
||||||
async-trait = "0.1.81"
|
async-trait = "0.1.81"
|
||||||
@ -72,8 +72,9 @@ reqwest = { version = "0.12.5", features = [
|
|||||||
"rustls-tls",
|
"rustls-tls",
|
||||||
"json",
|
"json",
|
||||||
], default-features = false }
|
], default-features = false }
|
||||||
rustls = "0.21.12"
|
rustls = { version = "0.23.11", features = ["ring"], default-features = false }
|
||||||
rustls-pemfile = "1.0.4"
|
rustls-pki-types = { version = "1.7.0", features = ["alloc"] }
|
||||||
|
rustls-pemfile = "2.1.2"
|
||||||
segment = { version = "0.2.4", optional = true }
|
segment = { version = "0.2.4", optional = true }
|
||||||
serde = { version = "1.0.204", features = ["derive"] }
|
serde = { version = "1.0.204", features = ["derive"] }
|
||||||
serde_json = { version = "1.0.120", features = ["preserve_order"] }
|
serde_json = { version = "1.0.120", features = ["preserve_order"] }
|
||||||
|
@ -151,7 +151,7 @@ async fn run_http(
|
|||||||
.keep_alive(KeepAlive::Os);
|
.keep_alive(KeepAlive::Os);
|
||||||
|
|
||||||
if let Some(config) = opt_clone.get_ssl_config()? {
|
if let Some(config) = opt_clone.get_ssl_config()? {
|
||||||
http_server.bind_rustls_021(opt_clone.http_addr, config)?.run().await?;
|
http_server.bind_rustls_0_23(opt_clone.http_addr, config)?.run().await?;
|
||||||
} else {
|
} else {
|
||||||
http_server.bind(&opt_clone.http_addr)?.run().await?;
|
http_server.bind(&opt_clone.http_addr)?.run().await?;
|
||||||
}
|
}
|
||||||
|
@ -14,11 +14,9 @@ use clap::Parser;
|
|||||||
use meilisearch_types::features::InstanceTogglableFeatures;
|
use meilisearch_types::features::InstanceTogglableFeatures;
|
||||||
use meilisearch_types::milli::update::IndexerConfig;
|
use meilisearch_types::milli::update::IndexerConfig;
|
||||||
use meilisearch_types::milli::ThreadPoolNoAbortBuilder;
|
use meilisearch_types::milli::ThreadPoolNoAbortBuilder;
|
||||||
use rustls::server::{
|
use rustls::server::{ServerSessionMemoryCache, WebPkiClientVerifier};
|
||||||
AllowAnyAnonymousOrAuthenticatedClient, AllowAnyAuthenticatedClient, ServerSessionMemoryCache,
|
|
||||||
};
|
|
||||||
use rustls::RootCertStore;
|
use rustls::RootCertStore;
|
||||||
use rustls_pemfile::{certs, pkcs8_private_keys, rsa_private_keys};
|
use rustls_pemfile::{certs, rsa_private_keys};
|
||||||
use serde::{Deserialize, Serialize};
|
use serde::{Deserialize, Serialize};
|
||||||
use sysinfo::{MemoryRefreshKind, RefreshKind, System};
|
use sysinfo::{MemoryRefreshKind, RefreshKind, System};
|
||||||
use url::Url;
|
use url::Url;
|
||||||
@ -569,23 +567,21 @@ impl Opt {
|
|||||||
|
|
||||||
pub fn get_ssl_config(&self) -> anyhow::Result<Option<rustls::ServerConfig>> {
|
pub fn get_ssl_config(&self) -> anyhow::Result<Option<rustls::ServerConfig>> {
|
||||||
if let (Some(cert_path), Some(key_path)) = (&self.ssl_cert_path, &self.ssl_key_path) {
|
if let (Some(cert_path), Some(key_path)) = (&self.ssl_cert_path, &self.ssl_key_path) {
|
||||||
let config = rustls::ServerConfig::builder().with_safe_defaults();
|
let config = rustls::ServerConfig::builder();
|
||||||
|
|
||||||
let config = match &self.ssl_auth_path {
|
let config = match &self.ssl_auth_path {
|
||||||
Some(auth_path) => {
|
Some(auth_path) => {
|
||||||
let roots = load_certs(auth_path.to_path_buf())?;
|
let roots = load_certs(auth_path.to_path_buf())?;
|
||||||
let mut client_auth_roots = RootCertStore::empty();
|
let mut client_auth_roots = RootCertStore::empty();
|
||||||
for root in roots {
|
for root in roots {
|
||||||
client_auth_roots.add(&root).unwrap();
|
client_auth_roots.add(root).unwrap();
|
||||||
}
|
}
|
||||||
if self.ssl_require_auth {
|
let mut client_verifier =
|
||||||
let verifier = AllowAnyAuthenticatedClient::new(client_auth_roots);
|
WebPkiClientVerifier::builder(client_auth_roots.into());
|
||||||
config.with_client_cert_verifier(Arc::from(verifier))
|
if !self.ssl_require_auth {
|
||||||
} else {
|
client_verifier = client_verifier.allow_unauthenticated();
|
||||||
let verifier =
|
|
||||||
AllowAnyAnonymousOrAuthenticatedClient::new(client_auth_roots);
|
|
||||||
config.with_client_cert_verifier(Arc::from(verifier))
|
|
||||||
}
|
}
|
||||||
|
config.with_client_cert_verifier(client_verifier.build()?)
|
||||||
}
|
}
|
||||||
None => config.with_no_client_auth(),
|
None => config.with_no_client_auth(),
|
||||||
};
|
};
|
||||||
@ -594,7 +590,7 @@ impl Opt {
|
|||||||
let privkey = load_private_key(key_path.to_path_buf())?;
|
let privkey = load_private_key(key_path.to_path_buf())?;
|
||||||
let ocsp = load_ocsp(&self.ssl_ocsp_path)?;
|
let ocsp = load_ocsp(&self.ssl_ocsp_path)?;
|
||||||
let mut config = config
|
let mut config = config
|
||||||
.with_single_cert_with_ocsp_and_sct(certs, privkey, ocsp, vec![])
|
.with_single_cert_with_ocsp(certs, privkey, ocsp)
|
||||||
.map_err(|_| anyhow::anyhow!("bad certificates/private key"))?;
|
.map_err(|_| anyhow::anyhow!("bad certificates/private key"))?;
|
||||||
|
|
||||||
config.key_log = Arc::new(rustls::KeyLogFile::new());
|
config.key_log = Arc::new(rustls::KeyLogFile::new());
|
||||||
@ -604,7 +600,7 @@ impl Opt {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if self.ssl_tickets {
|
if self.ssl_tickets {
|
||||||
config.ticketer = rustls::Ticketer::new().unwrap();
|
config.ticketer = rustls::crypto::ring::Ticketer::new().unwrap();
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(Some(config))
|
Ok(Some(config))
|
||||||
@ -769,21 +765,26 @@ impl Deref for MaxThreads {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fn load_certs(filename: PathBuf) -> anyhow::Result<Vec<rustls::Certificate>> {
|
fn load_certs(
|
||||||
|
filename: PathBuf,
|
||||||
|
) -> anyhow::Result<Vec<rustls::pki_types::CertificateDer<'static>>> {
|
||||||
let certfile =
|
let certfile =
|
||||||
fs::File::open(filename).map_err(|_| anyhow::anyhow!("cannot open certificate file"))?;
|
fs::File::open(filename).map_err(|_| anyhow::anyhow!("cannot open certificate file"))?;
|
||||||
let mut reader = BufReader::new(certfile);
|
let mut reader = BufReader::new(certfile);
|
||||||
certs(&mut reader)
|
certs(&mut reader)
|
||||||
.map(|certs| certs.into_iter().map(rustls::Certificate).collect())
|
.collect::<Result<Vec<_>, _>>()
|
||||||
.map_err(|_| anyhow::anyhow!("cannot read certificate file"))
|
.map_err(|_| anyhow::anyhow!("cannot read certificate file"))
|
||||||
}
|
}
|
||||||
|
|
||||||
fn load_private_key(filename: PathBuf) -> anyhow::Result<rustls::PrivateKey> {
|
fn load_private_key(
|
||||||
|
filename: PathBuf,
|
||||||
|
) -> anyhow::Result<rustls::pki_types::PrivateKeyDer<'static>> {
|
||||||
let rsa_keys = {
|
let rsa_keys = {
|
||||||
let keyfile = fs::File::open(filename.clone())
|
let keyfile = fs::File::open(filename.clone())
|
||||||
.map_err(|_| anyhow::anyhow!("cannot open private key file"))?;
|
.map_err(|_| anyhow::anyhow!("cannot open private key file"))?;
|
||||||
let mut reader = BufReader::new(keyfile);
|
let mut reader = BufReader::new(keyfile);
|
||||||
rsa_private_keys(&mut reader)
|
rsa_private_keys(&mut reader)
|
||||||
|
.collect::<Result<Vec<_>, _>>()
|
||||||
.map_err(|_| anyhow::anyhow!("file contains invalid rsa private key"))?
|
.map_err(|_| anyhow::anyhow!("file contains invalid rsa private key"))?
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -791,19 +792,21 @@ fn load_private_key(filename: PathBuf) -> anyhow::Result<rustls::PrivateKey> {
|
|||||||
let keyfile = fs::File::open(filename)
|
let keyfile = fs::File::open(filename)
|
||||||
.map_err(|_| anyhow::anyhow!("cannot open private key file"))?;
|
.map_err(|_| anyhow::anyhow!("cannot open private key file"))?;
|
||||||
let mut reader = BufReader::new(keyfile);
|
let mut reader = BufReader::new(keyfile);
|
||||||
pkcs8_private_keys(&mut reader).map_err(|_| {
|
rustls_pemfile::pkcs8_private_keys(&mut reader).collect::<Result<Vec<_>, _>>().map_err(
|
||||||
|
|_| {
|
||||||
anyhow::anyhow!(
|
anyhow::anyhow!(
|
||||||
"file contains invalid pkcs8 private key (encrypted keys not supported)"
|
"file contains invalid pkcs8 private key (encrypted keys not supported)"
|
||||||
)
|
)
|
||||||
})?
|
},
|
||||||
|
)?
|
||||||
};
|
};
|
||||||
|
|
||||||
// prefer to load pkcs8 keys
|
// prefer to load pkcs8 keys
|
||||||
if !pkcs8_keys.is_empty() {
|
if !pkcs8_keys.is_empty() {
|
||||||
Ok(rustls::PrivateKey(pkcs8_keys[0].clone()))
|
Ok(rustls::pki_types::PrivateKeyDer::Pkcs8(pkcs8_keys[0].clone_key()))
|
||||||
} else {
|
} else {
|
||||||
assert!(!rsa_keys.is_empty());
|
assert!(!rsa_keys.is_empty());
|
||||||
Ok(rustls::PrivateKey(rsa_keys[0].clone()))
|
Ok(rustls::pki_types::PrivateKeyDer::Pkcs1(rsa_keys[0].clone_key()))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user