fix: Explicitly set TLS backends

Dependency updates mean we have to set a custom TLS backend sooner. Also some groundwork for being able to use aws-lc in future
2026-04-27 00:55:12 +00:00 · 2026-04-24 14:19:12 +01:00
parent 7ca0d137c4
commit e31c5997b7
9 changed files with 170 additions and 22 deletions
@@ -382,6 +382,28 @@ dependencies = [
 "arrayvec",
 ]

+[[package]]
+name = "aws-lc-rs"
+version = "1.16.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0ec6fb3fe69024a75fa7e1bfb48aa6cf59706a101658ea01bfd33b2b248a038f"
+dependencies = [
+ "aws-lc-sys",
+ "zeroize",
+]
+
+[[package]]
+name = "aws-lc-sys"
+version = "0.40.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f50037ee5e1e41e7b8f9d161680a725bd1626cb6f8c7e901f91f942850852fe7"
+dependencies = [
+ "cc",
+ "cmake",
+ "dunce",
+ "fs_extra",
+]
+
 [[package]]
 name = "axum"
 version = "0.8.9"
@@ -876,6 +898,15 @@ dependencies = [
 "http",
 ]

+[[package]]
+name = "cmake"
+version = "0.1.58"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c0f78a02292a74a88ac736019ab962ece0bc380e3f977bf72e376c5d78ff0678"
+dependencies = [
+ "cc",
+]
+
 [[package]]
 name = "cmov"
 version = "0.5.3"
@@ -931,6 +962,7 @@ dependencies = [
 name = "conduwuit"
 version = "0.5.7"
 dependencies = [
+ "aws-lc-rs",
 "clap",
 "conduwuit_admin",
 "conduwuit_api",
@@ -949,6 +981,8 @@ dependencies = [
 "opentelemetry-otlp",
 "opentelemetry_sdk",
 "parking_lot",
+ "reqwest 0.13.2",
+ "rustls",
 "sentry",
 "sentry-tower",
 "sentry-tracing",
@@ -1771,6 +1805,12 @@ version = "0.0.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2647271c92754afcb174e758003cfd1cbf1e43e5a7853d7b1813e63e19e39a73"

+[[package]]
+name = "dunce"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
+
 [[package]]
 name = "ed25519"
 version = "2.2.3"
@@ -2047,6 +2087,12 @@ dependencies = [
 "tokio",
 ]

+[[package]]
+name = "fs_extra"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"
+
 [[package]]
 name = "futf"
 version = "0.1.5"
@@ -2168,8 +2214,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
 dependencies = [
 "cfg-if",
+ "js-sys",
 "libc",
 "wasi",
+ "wasm-bindgen",
 ]

 [[package]]
@@ -2260,6 +2308,34 @@ dependencies = [
 "tracing",
 ]

+[[package]]
+name = "h3"
+version = "0.0.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "10872b55cfb02a821b69dc7cf8dc6a71d6af25eb9a79662bec4a9d016056b3be"
+dependencies = [
+ "bytes",
+ "fastrand",
+ "futures-util",
+ "http",
+ "pin-project-lite",
+ "tokio",
+]
+
+[[package]]
+name = "h3-quinn"
+version = "0.0.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b2e732c8d91a74731663ac8479ab505042fbf547b9a207213ab7fbcbfc4f8b4"
+dependencies = [
+ "bytes",
+ "futures",
+ "h3",
+ "quinn",
+ "tokio",
+ "tokio-util",
+]
+
 [[package]]
 name = "half"
 version = "2.7.1"
@@ -3162,6 +3238,12 @@ dependencies = [
 "linked-hash-map",
 ]

+[[package]]
+name = "lru-slab"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154"
+
 [[package]]
 name = "lz4-sys"
 version = "1.11.1+lz4-1.10.0"
@@ -4208,6 +4290,63 @@ version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a993555f31e5a609f617c12db6250dedcac1b0a85076912c436e6fc9b2c8e6a3"

+[[package]]
+name = "quinn"
+version = "0.11.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e20a958963c291dc322d98411f541009df2ced7b5a4f2bd52337638cfccf20"
+dependencies = [
+ "bytes",
+ "cfg_aliases",
+ "futures-io",
+ "pin-project-lite",
+ "quinn-proto",
+ "quinn-udp",
+ "rustc-hash",
+ "rustls",
+ "socket2",
+ "thiserror 2.0.18",
+ "tokio",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-proto"
+version = "0.11.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
+dependencies = [
+ "aws-lc-rs",
+ "bytes",
+ "getrandom 0.3.4",
+ "lru-slab",
+ "rand 0.9.4",
+ "ring",
+ "rustc-hash",
+ "rustls",
+ "rustls-pki-types",
+ "slab",
+ "thiserror 2.0.18",
+ "tinyvec",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-udp"
+version = "0.5.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "addec6a0dcad8a8d96a771f815f0eaf55f9d1805756410b39f5fa81332574cbd"
+dependencies = [
+ "cfg_aliases",
+ "libc",
+ "once_cell",
+ "socket2",
+ "tracing",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "quote"
 version = "1.0.45"
@@ -4464,6 +4603,8 @@ dependencies = [
 "futures-core",
 "futures-util",
 "h2",
+ "h3",
+ "h3-quinn",
 "hickory-resolver",
 "http",
 "http-body",
@@ -4476,6 +4617,7 @@ dependencies = [
 "once_cell",
 "percent-encoding",
 "pin-project-lite",
+ "quinn",
 "rustls",
 "rustls-pki-types",
 "rustls-platform-verifier",
@@ -4797,6 +4939,7 @@ version = "0.23.39"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7c2c118cb077cca2822033836dfb1b975355dfb784b5e8da48f7b6c5db74e60e"
 dependencies = [
+ "aws-lc-rs",
 "log",
 "once_cell",
 "ring",
@@ -4824,6 +4967,7 @@ version = "1.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd"
 dependencies = [
+ "web-time",
 "zeroize",
 ]

@@ -4860,6 +5004,7 @@ version = "0.103.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e"
 dependencies = [
+ "aws-lc-rs",
 "ring",
 "rustls-pki-types",
 "untrusted",
@@ -137,7 +137,6 @@ features = [
 [workspace.dependencies.rustls]
 version = "0.23.25"
 default-features = false
-features = ["ring"]

 [workspace.dependencies.reqwest]
 version = "0.13.2"
@@ -162,7 +162,7 @@ ENV CONDUWUIT_VERSION_EXTRA=$CONDUWUIT_VERSION_EXTRA
 ENV CONTINUWUITY_VERSION_EXTRA=$CONTINUWUITY_VERSION_EXTRA

 ARG RUST_PROFILE=release
-ARG CARGO_FEATURES="default,http3"
+ARG CARGO_FEATURES="default"

 # Build the binary
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
@@ -29,10 +29,6 @@ gzip_compression = [
 	"conduwuit-service/gzip_compression",
 	"reqwest/gzip",
 ]
-http3 = [
-	"conduwuit-core/http3",
-	"conduwuit-service/http3",
-]
 io_uring = [
 	"conduwuit-service/io_uring",
 ]
@@ -25,9 +25,6 @@ conduwuit_mods = [
 gzip_compression = [
 	"reqwest/gzip",
 ]
-http3 = [
-	# "reqwest/http3", # TODO: Depends on aws-lc
-]
 hardened_malloc = [
 	"dep:hardened_malloc-rs"
 ]
@@ -43,6 +43,7 @@ assets = [
 default = [
    "standard",
    "release_max_log_level",
+    "ring",
 	"bindgen-runtime", # replace with bindgen-static on alpine
 ]
 standard = [
@@ -100,9 +101,14 @@ hardened_malloc = [
 	"conduwuit-core/hardened_malloc",
 ]
 http3 = [
-	"conduwuit-api/http3",
-	"conduwuit-core/http3",
-	"conduwuit-service/http3",
+    "reqwest/http3"
+]
+ring = [
+    "rustls/ring"
+]
+aws_lc_rs = [
+    "rustls/aws_lc_rs",
+    "dep:aws-lc-rs"
 ]
 io_uring = [
 	"conduwuit-database/io_uring",
@@ -238,6 +244,9 @@ tracing-subscriber.workspace = true
 tracing.workspace = true
 tracing-journald = { workspace = true, optional = true }
 parking_lot.workspace = true
+reqwest = { workspace = true, default-features = false }
+rustls = { workspace = true, default-features = false }
+aws-lc-rs = { version = "1.16.3", default-features = false, optional = true }


 [target.'cfg(all(not(target_env = "msvc"), target_os = "linux"))'.dependencies]
@@ -33,6 +33,18 @@ pub fn run_with_args(args: &Args) -> Result<()> {
 	// Spawn deadlock detection thread
 	deadlock::spawn();

+	// Because we're not using rustls default-tls, we have to initialise a TLS
+	// provider
+	#[cfg(feature = "aws_lc_rs")]
+	rustls::crypto::aws_lc_rs::default_provider()
+		.install_default()
+		.expect("failed to initialise ring rustls crypto provider");
+
+	#[cfg(all(feature = "ring", not(feature = "aws_lc_rs")))]
+	rustls::crypto::ring::default_provider()
+		.install_default()
+		.expect("failed to initialise ring rustls crypto provider");
+
 	let runtime = runtime::new(args)?;
 	let server = Server::new(args, Some(runtime.handle()))?;

@@ -24,13 +24,6 @@ pub(super) async fn serve(
 		.key
 		.as_ref()
 		.ok_or_else(|| err!(Config("tls.key", "Missing required value in tls config section")))?;
-
-	// we use ring for ruma and hashing state, but aws-lc-rs is the new default.
-	// without this, TLS mode will panic.
-	rustls::crypto::ring::default_provider()
-		.install_default()
-		.expect("failed to initialise ring rustls crypto provider");
-
 	info!(
 		"Note: It is strongly recommended that you use a reverse proxy instead of running \
 		 conduwuit directly with TLS."
@@ -33,9 +33,6 @@ gzip_compression = [
 	"conduwuit-core/gzip_compression",
 	"reqwest/gzip",
 ]
-http3 = [
-	"conduwuit-core/http3",
-]
 io_uring = [
 	"conduwuit-database/io_uring",
 ]