fix(devops): Use webpki roots instead of OS cert store (#3266)

Fixes ```json { "insertId": "1lzwe6ffj77v9n", "jsonPayload": { "cos.googleapis.com/container_name": "klt-relay-vmkr", "cos.googleapis.com/stream": "stderr", "cos.googleapis.com/container_id": "29e6fd8f9a4ed1ce390e8a25561d73b0fd8cbcdf17344e999637301175c41fdc", "message": " 1: invalid peer certificate: UnknownIssuer\n", "time": "2024-01-16T20:21:49.992901207Z" }, "resource": { "type": "gce_instance", "labels": { "zone": "asia-south1-a", "instance_id": "4570479834747179906", "project_id": "firezone-staging" } }, "timestamp": "2024-01-16T20:21:49.992901207Z", "logName": "projects/firezone-staging/logs/cos_containers", "receiveTimestamp": "2024-01-16T20:21:50.930410255Z" } ```
2026-01-27 18:18:55 +00:00 · 2024-01-16 13:11:13 -08:00
parent 9d476d83e4
commit 5551eece5d
5 changed files with 70 additions and 45 deletions
--- a/rust/Cargo.lock
+++ b/rust/Cargo.lock
@@ -2980,9 +2980,9 @@ dependencies = [
 "futures-util",
 "http 0.2.11",
 "hyper 0.14.28",
- "rustls",
+ "rustls 0.21.10",
 "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.24.1",
 ]

 [[package]]
@@ -4075,12 +4075,6 @@ dependencies = [
 "windows-sys 0.42.0",
 ]

-[[package]]
-name = "openssl-probe"
-version = "0.1.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
-
 [[package]]
 name = "opentelemetry"
 version = "0.20.0"
@@ -5056,14 +5050,14 @@ dependencies = [
 "once_cell",
 "percent-encoding",
 "pin-project-lite",
- "rustls",
+ "rustls 0.21.10",
 "rustls-pemfile",
 "serde",
 "serde_json",
 "serde_urlencoded",
 "system-configuration",
 "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.24.1",
 "tokio-util",
 "tower-service",
 "url",
@@ -5071,7 +5065,7 @@ dependencies = [
 "wasm-bindgen-futures",
 "wasm-streams",
 "web-sys",
- "webpki-roots",
+ "webpki-roots 0.25.3",
 "winreg 0.50.0",
 ]

@@ -5253,20 +5247,22 @@ checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba"
 dependencies = [
 "log",
 "ring 0.17.7",
- "rustls-webpki",
+ "rustls-webpki 0.101.7",
 "sct",
 ]

 [[package]]
-name = "rustls-native-certs"
-version = "0.6.3"
+name = "rustls"
+version = "0.22.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00"
+checksum = "e87c9956bd9807afa1f77e0f7594af32566e830e088a5576d27c5b6f30f49d41"
 dependencies = [
- "openssl-probe",
- "rustls-pemfile",
- "schannel",
- "security-framework",
+ "log",
+ "ring 0.17.7",
+ "rustls-pki-types",
+ "rustls-webpki 0.102.1",
+ "subtle",
+ "zeroize",
 ]

 [[package]]
@@ -5278,6 +5274,12 @@ dependencies = [
 "base64 0.21.7",
 ]

+[[package]]
+name = "rustls-pki-types"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e9d979b3ce68192e42760c7810125eb6cf2ea10efae545a156063e61f314e2a"
+
 [[package]]
 name = "rustls-webpki"
 version = "0.101.7"
@@ -5288,6 +5290,17 @@ dependencies = [
 "untrusted 0.9.0",
 ]

+[[package]]
+name = "rustls-webpki"
+version = "0.102.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ef4ca26037c909dedb327b48c3327d0ba91d3dd3c4e05dad328f210ffb68e95b"
+dependencies = [
+ "ring 0.17.7",
+ "rustls-pki-types",
+ "untrusted 0.9.0",
+]
+
 [[package]]
 name = "rustversion"
 version = "1.0.14"
@@ -5327,15 +5340,6 @@ dependencies = [
 "winapi-util",
 ]

-[[package]]
-name = "schannel"
-version = "0.1.23"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fbc91545643bcf3a0bbb6569265615222618bdf33ce4ffbbd13c4bbd4c093534"
-dependencies = [
- "windows-sys 0.52.0",
-]
-
 [[package]]
 name = "scoped-tls"
 version = "1.0.1"
@@ -6539,7 +6543,18 @@ version = "0.24.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081"
 dependencies = [
- "rustls",
+ "rustls 0.21.10",
+ "tokio",
+]
+
+[[package]]
+name = "tokio-rustls"
+version = "0.25.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f"
+dependencies = [
+ "rustls 0.22.2",
+ "rustls-pki-types",
 "tokio",
 ]

@@ -6556,18 +6571,18 @@ dependencies = [

 [[package]]
 name = "tokio-tungstenite"
-version = "0.20.1"
+version = "0.21.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "212d5dcb2a1ce06d81107c3d0ffa3121fe974b73f068c8282cb1c32328113b6c"
+checksum = "c83b561d025642014097b66e6c1bb422783339e0909e4429cde4749d1990bc38"
 dependencies = [
 "futures-util",
 "log",
- "rustls",
- "rustls-native-certs",
+ "rustls 0.22.2",
+ "rustls-pki-types",
 "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.25.0",
 "tungstenite",
- "webpki-roots",
+ "webpki-roots 0.26.0",
 ]

 [[package]]
@@ -6940,18 +6955,19 @@ checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"

 [[package]]
 name = "tungstenite"
-version = "0.20.1"
+version = "0.21.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e3dac10fd62eaf6617d3a904ae222845979aec67c615d1c842b4002c7666fb9"
+checksum = "9ef1a641ea34f399a848dea702823bbecfb4c486f911735368f1f137cb8257e1"
 dependencies = [
 "byteorder",
 "bytes",
 "data-encoding",
- "http 0.2.11",
+ "http 1.0.0",
 "httparse",
 "log",
 "rand 0.8.5",
- "rustls",
+ "rustls 0.22.2",
+ "rustls-pki-types",
 "sha1",
 "thiserror",
 "url",
@@ -7335,6 +7351,15 @@ version = "0.25.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1778a42e8b3b90bff8d0f5032bf22250792889a5cdc752aa0020c84abe3aaf10"

+[[package]]
+name = "webpki-roots"
+version = "0.26.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0de2cfda980f21be5a7ed2eadb3e6fe074d56022bea2cdeb1a62eb220fc04188"
+dependencies = [
+ "rustls-pki-types",
+]
+
 [[package]]
 name = "webrtc"
 version = "0.9.0"
@@ -7354,7 +7379,7 @@ dependencies = [
 "ring 0.17.7",
 "rtcp",
 "rtp",
- "rustls",
+ "rustls 0.21.10",
 "sdp",
 "serde",
 "serde_json",
@@ -7412,7 +7437,7 @@ dependencies = [
 "rand_core 0.6.4",
 "rcgen",
 "ring 0.17.7",
- "rustls",
+ "rustls 0.21.10",
 "sec1",
 "serde",
 "sha1",
--- a/rust/connlib/clients/shared/Cargo.toml
+++ b/rust/connlib/clients/shared/Cargo.toml
@@ -25,7 +25,7 @@ webrtc = { workspace = true }
 url = { version = "2.4.1", features = ["serde"] }
 time = { version = "0.3.30", features = ["formatting"] }
 reqwest = { version = "0.11.22", default-features = false, features = ["stream", "rustls-tls"] }
-tokio-tungstenite = { version = "0.20", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] }
+tokio-tungstenite = { version = "0.21", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] }
 async-compression = { version = "0.4.3", features = ["tokio", "gzip"] }
 hickory-resolver = { workspace = true, features = ["tokio-runtime"] }
 parking_lot = "0.12"
--- a/rust/connlib/shared/Cargo.toml
+++ b/rust/connlib/shared/Cargo.toml
@@ -27,7 +27,7 @@ serde_json = { version = "1.0", default-features = false, features = ["std"] }
 thiserror = { version = "1.0", default-features = false }
 tokio = { version = "1.33", default-features = false, features = ["rt", "rt-multi-thread"]}
 tokio-stream = { version = "0.1", features = ["time"] }
-tokio-tungstenite = { version = "0.20", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] }
+tokio-tungstenite = { version = "0.21", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] }
 tracing = { workspace = true }
 tracing-appender = "0.2"
 url = { version = "2.4.1", default-features = false }
--- a/rust/gateway/Cargo.toml
+++ b/rust/gateway/Cargo.toml
@@ -22,7 +22,7 @@ phoenix-channel = { workspace = true }
 secrecy = { workspace = true }
 serde = { version = "1.0", default-features = false, features = ["std", "derive"] }
 tokio = { version = "1.33", default-features = false, features = ["sync", "macros", "rt-multi-thread"] }
-tokio-tungstenite = { version = "0.20", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] }
+tokio-tungstenite = { version = "0.21", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] }
 tracing = { workspace = true }
 tracing-subscriber = "0.3.17"
 url = { version = "2.4.1", default-features = false }
--- a/rust/phoenix-channel/Cargo.toml
+++ b/rust/phoenix-channel/Cargo.toml
@@ -8,7 +8,7 @@ edition = "2021"

 [dependencies]
 secrecy = { workspace = true }
-tokio-tungstenite = { version = "0.20.1", features = ["rustls-tls-native-roots"] }
+tokio-tungstenite = { version = "0.21.0", features = ["rustls-tls-webpki-roots"] }
 futures = "0.3.29"
 base64 = "0.21.7"
 serde = { version = "1.0.190", features = ["derive"] }