Merge #4806

4806: Update rustls as much as possible r=Kerollmops a=irevoire # Pull Request ## Related issue Part of https://github.com/meilisearch/meilisearch/issues/4753 ## What does this PR do? - Update rustls as much as possible ## What is missing In rustls-0.22.0 two structures we were using have been removed with no explanation or workaround <img width="518" alt="image" src="https://github.com/user-attachments/assets/fa112db1-3400-4163-8819-7913f22d6b87"> Co-authored-by: Tamo <tamo@meilisearch.com>
2025-07-03 20:07:09 +02:00 · 2024-07-17 17:00:01 +00:00 · 2024-07-17 17:00:01 +00:00 · 6e9d0de8b7
commit 6e9d0de8b7
parent ea73615abf 1bfb16386c
4 changed files with 52 additions and 104 deletions
--- a/meilisearch/Cargo.toml
+++ b/meilisearch/Cargo.toml
@ -17,7 +17,7 @@ actix-cors = "0.7.0"
 actix-http = { version = "3.8.0", default-features = false, features = [
    "compress-brotli",
    "compress-gzip",
-    "rustls-0_21",
+    "rustls-0_23",
 ] }
 actix-utils = "3.0.1"
 actix-web = { version = "4.8.0", default-features = false, features = [
@ -25,7 +25,7 @@ actix-web = { version = "4.8.0", default-features = false, features = [
    "compress-brotli",
    "compress-gzip",
    "cookies",
-    "rustls-0_21",
+    "rustls-0_23",
 ] }
 anyhow = { version = "1.0.86", features = ["backtrace"] }
 async-trait = "0.1.81"
@ -72,8 +72,9 @@ reqwest = { version = "0.12.5", features = [
    "rustls-tls",
    "json",
 ], default-features = false }
-rustls = "0.21.12"
-rustls-pemfile = "1.0.4"
+rustls = { version = "0.23.11", features = ["ring"], default-features = false }
+rustls-pki-types = { version = "1.7.0", features = ["alloc"] }
+rustls-pemfile = "2.1.2"
 segment = { version = "0.2.4", optional = true }
 serde = { version = "1.0.204", features = ["derive"] }
 serde_json = { version = "1.0.120", features = ["preserve_order"] }
--- a/meilisearch/src/main.rs
+++ b/meilisearch/src/main.rs
@ -151,7 +151,7 @@ async fn run_http(
    .keep_alive(KeepAlive::Os);

    if let Some(config) = opt_clone.get_ssl_config()? {
-        http_server.bind_rustls_021(opt_clone.http_addr, config)?.run().await?;
+        http_server.bind_rustls_0_23(opt_clone.http_addr, config)?.run().await?;
    } else {
        http_server.bind(&opt_clone.http_addr)?.run().await?;
    }
--- a/meilisearch/src/option.rs
+++ b/meilisearch/src/option.rs
@ -14,11 +14,9 @@ use clap::Parser;
 use meilisearch_types::features::InstanceTogglableFeatures;
 use meilisearch_types::milli::update::IndexerConfig;
 use meilisearch_types::milli::ThreadPoolNoAbortBuilder;
-use rustls::server::{
-    AllowAnyAnonymousOrAuthenticatedClient, AllowAnyAuthenticatedClient, ServerSessionMemoryCache,
-};
+use rustls::server::{ServerSessionMemoryCache, WebPkiClientVerifier};
 use rustls::RootCertStore;
-use rustls_pemfile::{certs, pkcs8_private_keys, rsa_private_keys};
+use rustls_pemfile::{certs, rsa_private_keys};
 use serde::{Deserialize, Serialize};
 use sysinfo::{MemoryRefreshKind, RefreshKind, System};
 use url::Url;
@ -582,23 +580,21 @@ impl Opt {

    pub fn get_ssl_config(&self) -> anyhow::Result<Option<rustls::ServerConfig>> {
        if let (Some(cert_path), Some(key_path)) = (&self.ssl_cert_path, &self.ssl_key_path) {
-            let config = rustls::ServerConfig::builder().with_safe_defaults();
+            let config = rustls::ServerConfig::builder();

            let config = match &self.ssl_auth_path {
                Some(auth_path) => {
                    let roots = load_certs(auth_path.to_path_buf())?;
                    let mut client_auth_roots = RootCertStore::empty();
                    for root in roots {
-                        client_auth_roots.add(&root).unwrap();
+                        client_auth_roots.add(root).unwrap();
                    }
-                    if self.ssl_require_auth {
-                        let verifier = AllowAnyAuthenticatedClient::new(client_auth_roots);
-                        config.with_client_cert_verifier(Arc::from(verifier))
-                    } else {
-                        let verifier =
-                            AllowAnyAnonymousOrAuthenticatedClient::new(client_auth_roots);
-                        config.with_client_cert_verifier(Arc::from(verifier))
+                    let mut client_verifier =
+                        WebPkiClientVerifier::builder(client_auth_roots.into());
+                    if !self.ssl_require_auth {
+                        client_verifier = client_verifier.allow_unauthenticated();
                    }
+                    config.with_client_cert_verifier(client_verifier.build()?)
                }
                None => config.with_no_client_auth(),
            };
@ -607,7 +603,7 @@ impl Opt {
            let privkey = load_private_key(key_path.to_path_buf())?;
            let ocsp = load_ocsp(&self.ssl_ocsp_path)?;
            let mut config = config
-                .with_single_cert_with_ocsp_and_sct(certs, privkey, ocsp, vec![])
+                .with_single_cert_with_ocsp(certs, privkey, ocsp)
                .map_err(|_| anyhow::anyhow!("bad certificates/private key"))?;

            config.key_log = Arc::new(rustls::KeyLogFile::new());
@ -617,7 +613,7 @@ impl Opt {
            }

            if self.ssl_tickets {
-                config.ticketer = rustls::Ticketer::new().unwrap();
+                config.ticketer = rustls::crypto::ring::Ticketer::new().unwrap();
            }

            Ok(Some(config))
@ -783,21 +779,26 @@ impl Deref for MaxThreads {
    }
 }

-fn load_certs(filename: PathBuf) -> anyhow::Result<Vec<rustls::Certificate>> {
+fn load_certs(
+    filename: PathBuf,
+) -> anyhow::Result<Vec<rustls::pki_types::CertificateDer<'static>>> {
    let certfile =
        fs::File::open(filename).map_err(|_| anyhow::anyhow!("cannot open certificate file"))?;
    let mut reader = BufReader::new(certfile);
    certs(&mut reader)
-        .map(|certs| certs.into_iter().map(rustls::Certificate).collect())
+        .collect::<Result<Vec<_>, _>>()
        .map_err(|_| anyhow::anyhow!("cannot read certificate file"))
 }

-fn load_private_key(filename: PathBuf) -> anyhow::Result<rustls::PrivateKey> {
+fn load_private_key(
+    filename: PathBuf,
+) -> anyhow::Result<rustls::pki_types::PrivateKeyDer<'static>> {
    let rsa_keys = {
        let keyfile = fs::File::open(filename.clone())
            .map_err(|_| anyhow::anyhow!("cannot open private key file"))?;
        let mut reader = BufReader::new(keyfile);
        rsa_private_keys(&mut reader)
+            .collect::<Result<Vec<_>, _>>()
            .map_err(|_| anyhow::anyhow!("file contains invalid rsa private key"))?
    };

@ -805,19 +806,21 @@ fn load_private_key(filename: PathBuf) -> anyhow::Result<rustls::PrivateKey> {
        let keyfile = fs::File::open(filename)
            .map_err(|_| anyhow::anyhow!("cannot open private key file"))?;
        let mut reader = BufReader::new(keyfile);
-        pkcs8_private_keys(&mut reader).map_err(|_| {
-            anyhow::anyhow!(
-                "file contains invalid pkcs8 private key (encrypted keys not supported)"
-            )
-        })?
+        rustls_pemfile::pkcs8_private_keys(&mut reader).collect::<Result<Vec<_>, _>>().map_err(
+            |_| {
+                anyhow::anyhow!(
+                    "file contains invalid pkcs8 private key (encrypted keys not supported)"
+                )
+            },
+        )?
    };

    // prefer to load pkcs8 keys
    if !pkcs8_keys.is_empty() {
-        Ok(rustls::PrivateKey(pkcs8_keys[0].clone()))
+        Ok(rustls::pki_types::PrivateKeyDer::Pkcs8(pkcs8_keys[0].clone_key()))
    } else {
        assert!(!rsa_keys.is_empty());
-        Ok(rustls::PrivateKey(rsa_keys[0].clone()))
+        Ok(rustls::pki_types::PrivateKeyDer::Pkcs1(rsa_keys[0].clone_key()))
    }
 }