Merge pull request #83 from hatoo/rustls-client

Rustls client

Author: hatoo

.github/workflows/rust.yml

@@ -20,3 +20,5 @@ jobs:
       run: cargo build --verbose
     - name: Run tests
       run: cargo test --verbose
+    - name: Run tests --no-default-features --features rustls-client
+      run: cargo test --verbose --no-default-features --features rustls-client

Cargo.lock

@@ -14,6 +14,13 @@ resolver = "2"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
+[features]
+default = ["native-tls-client"]
+native-tls-client = ["dep:native-tls", "dep:tokio-native-tls"]
+
+# You can use --no-default-feature --features "rustls-client" to remove native-tls from dependencies
+rustls-client = ["dep:webpki-roots"]
+
 [dependencies]
 tokio = { version = "1.39.3", features = [
     "macros",
@@ -29,13 +36,16 @@ bytes = "1.7.1"
 http-body-util = "0.1.0"
 rcgen = "0.13.1"
 tokio-rustls = "0.26.1"
-tokio-native-tls = "0.3.1"
 tracing = "0.1.40"
 hyper-util = { version = "0.1.7", features = ["tokio"] }
-native-tls = { version = "0.2.12", features = ["alpn"] }
 thiserror = "2.0.11"
 moka = { version = "0.12.8", features = ["sync"] }
 
+native-tls = { version = "0.2.12", features = ["alpn"], optional = true }
+tokio-native-tls = { version = "0.3.1", optional = true }
+
+webpki-roots = { version = "0.26.8", optional = true }
+
 [dev-dependencies]
 axum = { version = "0.8.1", features = ["http2"] }
 clap = { version = "4.5.16", features = ["derive"] }

Cargo.toml

@@ -85,7 +85,7 @@ async fn main() {
         Some(Cache::new(128)),
     );
 
-    let client = DefaultClient::new().unwrap();
+    let client = DefaultClient::new();
     let server = proxy
         .bind(
             ("127.0.0.1", 3003),

README.md

@@ -82,7 +82,7 @@ async fn main() {
         Some(Cache::new(128)),
     );
 
-    let client = DefaultClient::new().unwrap();
+    let client = DefaultClient::new();
     let proxy = proxy
         .bind(
             ("127.0.0.1", 3003),

examples/dev_proxy.rs

@@ -92,7 +92,7 @@ async fn main() {
     );
     let proxy = Arc::new(proxy);
 
-    let client = DefaultClient::new().unwrap();
+    let client = DefaultClient::new();
 
     let listener = TcpListener::bind(("127.0.0.1", 3003)).await.unwrap();
 

examples/https.rs

@@ -72,7 +72,7 @@ async fn main() {
         Some(Cache::new(128)),
     );
 
-    let client = DefaultClient::new().unwrap();
+    let client = DefaultClient::new();
     let server = proxy
         .bind(
             ("127.0.0.1", 3003),

examples/proxy.rs

@@ -78,7 +78,7 @@ async fn main() {
         Some(Cache::new(128)),
     );
 
-    let client = DefaultClient::new().unwrap().with_upgrades();
+    let client = DefaultClient::new().with_upgrades();
     let server = proxy
         .bind(
             ("127.0.0.1", 3003),

examples/websocket.rs

@@ -8,20 +8,33 @@ use hyper_util::rt::{TokioExecutor, TokioIo};
 use std::task::{Context, Poll};
 use tokio::{net::TcpStream, task::JoinHandle};
 
+#[cfg(all(feature = "native-tls-client", feature = "rustls-client"))]
+compile_error!("feature \"native-tls-client\" and feature \"rustls-client\" cannot be enabled at the same time");
+
+#[cfg(all(not(feature = "native-tls-client"), not(feature = "rustls-client")))]
+compile_error!("feature \"native-tls-client\" or feature \"rustls-client\" must be enabled");
+
 #[derive(thiserror::Error, Debug)]
 pub enum Error {
     #[error("{0} doesn't have an valid host")]
     InvalidHost(Uri),
     #[error(transparent)]
     IoError(#[from] std::io::Error),
     #[error(transparent)]
-    NativeTlsError(#[from] tokio_native_tls::native_tls::Error),
-    #[error(transparent)]
     HyperError(#[from] hyper::Error),
     #[error("Failed to connect to {0}, {1}")]
     ConnectError(Uri, hyper::Error),
+
+    #[cfg(feature = "native-tls-client")]
     #[error("Failed to connect with TLS to {0}, {1}")]
     TlsConnectError(Uri, native_tls::Error),
+    #[cfg(feature = "native-tls-client")]
+    #[error(transparent)]
+    NativeTlsError(#[from] tokio_native_tls::native_tls::Error),
+
+    #[cfg(feature = "rustls-client")]
+    #[error("Failed to connect with TLS to {0}, {1}")]
+    TlsConnectError(Uri, std::io::Error),
 }
 
 /// Upgraded connections
@@ -34,24 +47,60 @@ pub struct Upgraded {
 #[derive(Clone)]
 /// Default HTTP client for this crate
 pub struct DefaultClient {
+    #[cfg(feature = "native-tls-client")]
     tls_connector_no_alpn: tokio_native_tls::TlsConnector,
+    #[cfg(feature = "native-tls-client")]
     tls_connector_alpn_h2: tokio_native_tls::TlsConnector,
+
+    #[cfg(feature = "rustls-client")]
+    tls_connector_no_alpn: tokio_rustls::TlsConnector,
+    #[cfg(feature = "rustls-client")]
+    tls_connector_alpn_h2: tokio_rustls::TlsConnector,
+
     /// If true, send_request will returns an Upgraded struct when the response is an upgrade
     /// If false, send_request never returns an Upgraded struct and just copy bidirectional when the response is an upgrade
     pub with_upgrades: bool,
 }
 impl DefaultClient {
-    pub fn new() -> native_tls::Result<Self> {
-        let tls_connector_no_alpn = native_tls::TlsConnector::builder().build()?;
+    #[cfg(feature = "native-tls-client")]
+    pub fn new() -> Self {
+        let tls_connector_no_alpn = native_tls::TlsConnector::builder().build().unwrap();
         let tls_connector_alpn_h2 = native_tls::TlsConnector::builder()
             .request_alpns(&["h2", "http/1.1"])
-            .build()?;
+            .build()
+            .unwrap();
 
-        Ok(Self {
+        Self {
             tls_connector_no_alpn: tokio_native_tls::TlsConnector::from(tls_connector_no_alpn),
             tls_connector_alpn_h2: tokio_native_tls::TlsConnector::from(tls_connector_alpn_h2),
             with_upgrades: false,
-        })
+        }
+    }
+
+    #[cfg(feature = "rustls-client")]
+    pub fn new() -> Self {
+        use std::sync::Arc;
+
+        let mut root_cert_store = tokio_rustls::rustls::RootCertStore::empty();
+        root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
+
+        let tls_connector_no_alpn = tokio_rustls::rustls::ClientConfig::builder()
+            .with_root_certificates(root_cert_store.clone())
+            .with_no_client_auth();
+        let mut tls_connector_alpn_h2 = tokio_rustls::rustls::ClientConfig::builder()
+            .with_root_certificates(root_cert_store.clone())
+            .with_no_client_auth();
+        tls_connector_alpn_h2.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
+
+        Self {
+            tls_connector_no_alpn: tokio_rustls::TlsConnector::from(Arc::new(
+                tls_connector_no_alpn,
+            )),
+            tls_connector_alpn_h2: tokio_rustls::TlsConnector::from(Arc::new(
+                tls_connector_alpn_h2,
+            )),
+            with_upgrades: false,
+        }
     }
 
     /// Enable HTTP upgrades
@@ -61,13 +110,22 @@ impl DefaultClient {
         self
     }
 
+    #[cfg(feature = "native-tls-client")]
     fn tls_connector(&self, http_version: Version) -> &tokio_native_tls::TlsConnector {
         match http_version {
             Version::HTTP_2 => &self.tls_connector_alpn_h2,
             _ => &self.tls_connector_no_alpn,
         }
     }
 
+    #[cfg(feature = "rustls-client")]
+    fn tls_connector(&self, http_version: Version) -> &tokio_rustls::TlsConnector {
+        match http_version {
+            Version::HTTP_2 => &self.tls_connector_alpn_h2,
+            _ => &self.tls_connector_no_alpn,
+        }
+    }
+
     /// Send a request and return a response.
     /// If the response is an upgrade (= if status code is 101 Switching Protocols), it will return a response and an Upgrade struct.
     /// Request should have a full URL including scheme.
@@ -152,17 +210,31 @@ impl DefaultClient {
         let _ = tcp.set_nodelay(true);
 
         if uri.scheme() == Some(&hyper::http::uri::Scheme::HTTPS) {
+            #[cfg(feature = "native-tls-client")]
             let tls = self
                 .tls_connector(http_version)
                 .connect(host, tcp)
                 .await
                 .map_err(|err| Error::TlsConnectError(uri.clone(), err))?;
+            #[cfg(feature = "rustls-client")]
+            let tls = self
+                .tls_connector(http_version)
+                .connect(host.to_string().try_into().expect("Invalid host"), tcp)
+                .await
+                .map_err(|err| Error::TlsConnectError(uri.clone(), err))?;
+
+            #[cfg(feature = "native-tls-client")]
+            let is_h2 = matches!(
+                tls.get_ref()
+                    .negotiated_alpn()
+                    .map(|a| a.map(|b| b == b"h2")),
+                Ok(Some(true))
+            );
+
+            #[cfg(feature = "rustls-client")]
+            let is_h2 = tls.get_ref().1.alpn_protocol() == Some(b"h2");
 
-            if let Ok(Some(true)) = tls
-                .get_ref()
-                .negotiated_alpn()
-                .map(|a| a.map(|b| b == b"h2"))
-            {
+            if is_h2 {
                 let (sender, conn) = client::conn::http2::Builder::new(TokioExecutor::new())
                     .handshake(TokioIo::new(tls))
                     .await

src/default_client.rs

@@ -17,6 +17,8 @@ use tokio_rustls::rustls;
 pub use futures;
 pub use hyper;
 pub use moka;
+
+#[cfg(feature = "native-tls-client")]
 pub use tokio_native_tls;
 
 pub mod default_client;