Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update env_logger dependency #46

Open
wants to merge 21 commits into
base: master
Choose a base branch
from
Open

Update env_logger dependency #46

wants to merge 21 commits into from

Conversation

aljazerzen
Copy link

No description provided.

@aljazerzen aljazerzen mentioned this pull request Apr 26, 2024
Open
@aljazerzen
Nix flake for a dev shell
df7f616
@aljazerzen
Rename to the forked edgedb repo
3495090
@aljazerzen
Clippy lints
b5a0b97
@aljazerzen
Update trivial dependencies
442a806 
- `webpki-roots`
- `cfg-if`
- `winapi`
- `untrusted`
- `pem`
@aljazerzen
Shutdown TLS streams
1df0dbd 
When I tried updating to latest version of rustls, I've noticed the following test failure:

```
rustls::Custom {
  kind: UnexpectedEof,
  error: "peer closed connection without sending TLS close_notify: https://docs.rs/rustls/latest/rustls/manual/_03_howto/index.html#unexpected-eof"
}
```

This is happening because in [rustls 0.21.2](https://github.com/rustls/rustls/releases/tag/v%2F0.21.2), they started differentiating between "unexpected and expected EOF in `Stream` and `StreamOwned`". This follows TLS standard, as the close_notify message must be sent before closing the connection.

We weren't doing that I our test cases so they failed.

But even when I added `AsyncWrite::poll_shutdown(socket).await` to the tests, they were still failing, since we weren't propagating this call to the underlying sync TLS streams, but just calling `.flush()`. The problem here was that there is no sync equivalent to `AsyncWrite::shutdown`.

My solution was to add a new trait `WriteShutdown` that all sync TLS streams must implement. It turns out that OpenSSL, native TLS and rustls all have shutdown methods that they are expecting to be called.

---

This is a breaking change, because there are streams that previous versions deemed correct, but newer versions would return an error on.

This is fixes [vulnerability to truncation attacks](https://docs.rs/rustls/latest/rustls/manual/_03_howto/index.html#unexpected-eof).
@aljazerzen
Update rustls dependency
ad5d2a3
@aljazerzen
Format
d2f9689
@aljazerzen
Update version
37cd212
@aljazerzen
Make rustls not use default features
42adc37
@aljazerzen
test: fix a few breakages
21b70a1
@aljazerzen
chore: apply clippy lints
fee9cfe
@aljazerzen
chore!: update thiserror to 2
c0ab441
@aljazerzen
chore!: update security-framework to 3
8c87cf4
@aljazerzen
test: cleanup test configs
9a25528
@aljazerzen
chore: rename back to original crate name
04137b0
@aljazerzen
chore: update usage of openssl pkcs12
9199ac0
@aljazerzen
chore: v0.12 & cleanup cargo config
fe2b82c
@aljazerzen
fix: TLS close notify over async-std
c9ecca7
@aljazerzen
chore: fmt
ddaa78c
@aljazerzen
chore: cleanup cargo configs
f27611f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aljazerzen @elprans