Skip to content

Commit

Permalink
proxy: v2.203.4 (#11417)
Browse files Browse the repository at this point in the history 
This branch cherry-picks #2472 onto `release/v2.203`.

Currently, the proxy [depends on an outdated version of `rustls`][1],
v0.20.8. The `rustls` dependency is via our dependency on `tokio-rustls`
v0.23.4; we don't have a direct `rustls` dependency, in order to ensure
that the version of `rustls` is always the same version as used by
`tokio-rustls`. `rustls` also has a dependency on `webpki`, and v0.20.x
of `rustls` uses the original `webpki` crate, rather than the
`rustls-webpki` crate. So, unfortunately, because we have a transitive
dep on `webpki` via `rustls`, PR linkerd/linkerd2-proxy#2465 did not
remove _all_ `webpki` deps from our dependency tree, only the direct
dependency.

This branch updates to `rustls` v0.21.x, which depends on
`rustls-webpki` rather than `webpki`, removing the `webpki` dependency.
This is accomplished by updating `tokio-rustls` to v0.24.x, implicitly
updating the transitive `rustls` dep. In order to update to the
semver-incompatible version of `rustls`, it was necessary to modify our
code in order to track some breaking API changes. I've also added a
`cargo-deny` ban for `webpki` to our `deny.toml`, to ensure that we
always use the actively-maintained `rustls-webpki` crate rather than
`webpki` classic.

Since peer certificate validation is performed through `rustls` rather
than through the direct `rustls-webpki` dependency, this should
hopefully resolve issues with issuer certs that contain name constraints
--- these were not fixed by linkerd/linkerd2-proxy#2465, because the
failure with certs containing name constraints occurred inside of the
*`webpki` version depended on by `rustls`*, rather than inside of the
proxy's direct dep. See [this comment][2] for details.

In addition, it was necessary to update `rustls-webpki` to v0.101.6,
since v0.101.5 was yanked due to an accidental API breaking change.

[1]:
    https://github.com/linkerd/linkerd2-proxy/blob/8afc72258b8ced868fbd0bde0235955c0adf4ccd/Cargo.lock#L2450-L2460C2
[2]:
    #9299 (comment)

---

0e843c9f meshtls: update to `rustls` v0.21.7 (linkerd/linkerd2-proxy#2473)

Signed-off-by: Eliza Weisman <[email protected]>
  • Loading branch information
@hawkw @mateiidavid
hawkw authored and mateiidavid committed Sep 25, 2023
1 parent 518f85b commit 7af4d42
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion .proxy-version
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
v2.203.3
v2.203.4

0 comments on commit 7af4d42

Please sign in to comment.