rust: default to rustls TLS backend, add native-tls opt-in#1851
Open
colbylwilliams wants to merge 1 commit into
Open
rust: default to rustls TLS backend, add native-tls opt-in#1851colbylwilliams wants to merge 1 commit into
colbylwilliams wants to merge 1 commit into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Rust SDK crate’s TLS feature configuration so it defaults to a rustls-based TLS stack (avoiding OpenSSL) while still offering an opt-in native-tls Cargo feature for consumers who prefer the platform TLS backend. This directly addresses the musl/static build pain described in #1805 without requiring transport-layer source changes.
Changes:
- Switch default Rust crate TLS backend to
rustls-tls(OpenSSL-free by default) and add an opt-innative-tlsfeature. - Remove hard-coded TLS features from the
reqwestandtokio-tungstenitedependency declarations and delegate TLS selection to crate features. - Document the new TLS feature behavior and the
default-features = falseimplications in the Rust README.
Show a summary per file
| File | Description |
|---|---|
| rust/README.md | Documents new rustls-tls (default) and native-tls (opt-in) features and updates dependency examples accordingly. |
| rust/Cargo.toml | Introduces rustls-tls/native-tls features, defaults to rustls, and removes dependency-level hard-coded TLS selection. |
| rust/Cargo.lock | Updates the resolved dependency graph to reflect the new rustls-enabled default feature set. |
Review details
- Files reviewed: 2/3 changed files
- Comments generated: 0
- Review effort level: Low
The Rust crate hard-coded the OpenSSL-backed native-tls stack for its request-handler HTTP (reqwest `default-tls`) and WebSocket (tokio-tungstenite `native-tls`) clients, pulling in `openssl-sys`. That breaks `*-unknown-linux-musl` / fully-static builds (no OpenSSL sysroot) and adds a dynamic `libssl` runtime dependency on glibc. Make TLS feature-gated and default to rustls: - `rustls-tls` (default): reqwest `rustls-tls-native-roots` + tokio-tungstenite `rustls-tls-native-roots`, using rustls with the `ring` provider and the OS trust store. OpenSSL-free, so musl/static targets cross-compile with no system OpenSSL. - `native-tls` (opt-in): keeps the platform-native stack for consumers who want it. The transport code is TLS-backend-agnostic (`reqwest::Client::builder()` + `connect_async`), so no source changes were needed. For `wss://`, tokio-tungstenite resolves the rustls crypto provider via Cargo feature unification on the shared `rustls` crate (reqwest pins `ring`). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2f683c0 to
92ff3e3
Compare
stephentoub
reviewed
Jul 1, 2026
| test-support = [] | ||
|
|
||
| # TLS backend for the request-handler HTTP/WebSocket transport; enable at least | ||
| # one. `rustls-tls` (default) uses rustls + `ring`, keeping the SDK OpenSSL-free |
Collaborator
There was a problem hiding this comment.
The runtime is using aws-lc-rs. Once they're in the same process, we'll have two crypto stacks. Can we standardize on one?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #1805.
The Rust crate hard-coded the OpenSSL-backed
native-tlsstack for its request-handler HTTP and WebSocket clients, with no way to opt into rustls:default-tls(reqwest) andnative-tls(tokio-tungstenite) both pull inopenssl-sys, which links the system OpenSSL on Linux. This breaks*-unknown-linux-musl/ fully-static builds (no OpenSSL sysroot) and adds a dynamiclibssl.so.3runtime dependency on glibc.Change
This implements both shapes the issue proposed: default to rustls and expose a
native-tlscargo feature so consumers keep the choice.rustls-tls(new, default): reqwestrustls-tls-native-roots+ tokio-tungsteniterustls-tls-native-roots— rustls with theringprovider and the OS trust store. OpenSSL-free, so musl/static targets cross-compile without a system OpenSSL sysroot.native-tls(new, opt-in): keeps the platform-native stack (OpenSSL on Linux, Secure Transport on macOS, SChannel on Windows) for consumers who want it.reqwest/tokio-tungstenitedeps drop their hard-coded TLS features; TLS is now selected via the cargo features above.The transport code (
copilot_request_handler.rs) is TLS-backend-agnostic (reqwest::Client::builder()+connect_async), so no source changes were required. Forwss://, tokio-tungstenite resolves the rustls crypto provider via Cargo feature unification on the sharedrustlscrate (reqwest pinsring).Validation
cargo check --locked(default) is OpenSSL-free:openssl-sysno longer appears in the normal dependency graph;ringis the sole rustls crypto provider.cargo check --no-default-features --features rustls-tlsand--features native-tlsboth compile.wss://path resolves theringcrypto provider (reaches the TLS handshake instead of panicking with "no process-level CryptoProvider available").cargo +nightly fmt --check,cargo clippy --all-features --all-targets -- -D warnings: clean.cargo test --all-features: green (lib + e2e + integration + doctests).Supersedes #1806 (which was opened from a fork before I had write access to this repo). This PR is branched directly off
main.Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com