From 5551eece5d2c6dd13bb725bc4bc5cc6a5c60b0bd Mon Sep 17 00:00:00 2001 From: Jamil Date: Tue, 16 Jan 2024 13:11:13 -0800 Subject: [PATCH] fix(devops): Use webpki roots instead of OS cert store (#3266) Fixes ```json { "insertId": "1lzwe6ffj77v9n", "jsonPayload": { "cos.googleapis.com/container_name": "klt-relay-vmkr", "cos.googleapis.com/stream": "stderr", "cos.googleapis.com/container_id": "29e6fd8f9a4ed1ce390e8a25561d73b0fd8cbcdf17344e999637301175c41fdc", "message": " 1: invalid peer certificate: UnknownIssuer\n", "time": "2024-01-16T20:21:49.992901207Z" }, "resource": { "type": "gce_instance", "labels": { "zone": "asia-south1-a", "instance_id": "4570479834747179906", "project_id": "firezone-staging" } }, "timestamp": "2024-01-16T20:21:49.992901207Z", "logName": "projects/firezone-staging/logs/cos_containers", "receiveTimestamp": "2024-01-16T20:21:50.930410255Z" } ``` --- rust/Cargo.lock | 107 +++++++++++++++---------- rust/connlib/clients/shared/Cargo.toml | 2 +- rust/connlib/shared/Cargo.toml | 2 +- rust/gateway/Cargo.toml | 2 +- rust/phoenix-channel/Cargo.toml | 2 +- 5 files changed, 70 insertions(+), 45 deletions(-) diff --git a/rust/Cargo.lock b/rust/Cargo.lock index 9249f166a..320af300f 100644 --- a/rust/Cargo.lock +++ b/rust/Cargo.lock @@ -2980,9 +2980,9 @@ dependencies = [ "futures-util", "http 0.2.11", "hyper 0.14.28", - "rustls", + "rustls 0.21.10", "tokio", - "tokio-rustls", + "tokio-rustls 0.24.1", ] [[package]] @@ -4075,12 +4075,6 @@ dependencies = [ "windows-sys 0.42.0", ] -[[package]] -name = "openssl-probe" -version = "0.1.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" - [[package]] name = "opentelemetry" version = "0.20.0" @@ -5056,14 +5050,14 @@ dependencies = [ "once_cell", "percent-encoding", "pin-project-lite", - "rustls", + "rustls 0.21.10", "rustls-pemfile", "serde", "serde_json", "serde_urlencoded", "system-configuration", "tokio", - "tokio-rustls", + "tokio-rustls 0.24.1", "tokio-util", "tower-service", "url", @@ -5071,7 +5065,7 @@ dependencies = [ "wasm-bindgen-futures", "wasm-streams", "web-sys", - "webpki-roots", + "webpki-roots 0.25.3", "winreg 0.50.0", ] @@ -5253,20 +5247,22 @@ checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba" dependencies = [ "log", "ring 0.17.7", - "rustls-webpki", + "rustls-webpki 0.101.7", "sct", ] [[package]] -name = "rustls-native-certs" -version = "0.6.3" +name = "rustls" +version = "0.22.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00" +checksum = "e87c9956bd9807afa1f77e0f7594af32566e830e088a5576d27c5b6f30f49d41" dependencies = [ - "openssl-probe", - "rustls-pemfile", - "schannel", - "security-framework", + "log", + "ring 0.17.7", + "rustls-pki-types", + "rustls-webpki 0.102.1", + "subtle", + "zeroize", ] [[package]] @@ -5278,6 +5274,12 @@ dependencies = [ "base64 0.21.7", ] +[[package]] +name = "rustls-pki-types" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9e9d979b3ce68192e42760c7810125eb6cf2ea10efae545a156063e61f314e2a" + [[package]] name = "rustls-webpki" version = "0.101.7" @@ -5288,6 +5290,17 @@ dependencies = [ "untrusted 0.9.0", ] +[[package]] +name = "rustls-webpki" +version = "0.102.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ef4ca26037c909dedb327b48c3327d0ba91d3dd3c4e05dad328f210ffb68e95b" +dependencies = [ + "ring 0.17.7", + "rustls-pki-types", + "untrusted 0.9.0", +] + [[package]] name = "rustversion" version = "1.0.14" @@ -5327,15 +5340,6 @@ dependencies = [ "winapi-util", ] -[[package]] -name = "schannel" -version = "0.1.23" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fbc91545643bcf3a0bbb6569265615222618bdf33ce4ffbbd13c4bbd4c093534" -dependencies = [ - "windows-sys 0.52.0", -] - [[package]] name = "scoped-tls" version = "1.0.1" @@ -6539,7 +6543,18 @@ version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" dependencies = [ - "rustls", + "rustls 0.21.10", + "tokio", +] + +[[package]] +name = "tokio-rustls" +version = "0.25.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f" +dependencies = [ + "rustls 0.22.2", + "rustls-pki-types", "tokio", ] @@ -6556,18 +6571,18 @@ dependencies = [ [[package]] name = "tokio-tungstenite" -version = "0.20.1" +version = "0.21.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "212d5dcb2a1ce06d81107c3d0ffa3121fe974b73f068c8282cb1c32328113b6c" +checksum = "c83b561d025642014097b66e6c1bb422783339e0909e4429cde4749d1990bc38" dependencies = [ "futures-util", "log", - "rustls", - "rustls-native-certs", + "rustls 0.22.2", + "rustls-pki-types", "tokio", - "tokio-rustls", + "tokio-rustls 0.25.0", "tungstenite", - "webpki-roots", + "webpki-roots 0.26.0", ] [[package]] @@ -6940,18 +6955,19 @@ checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b" [[package]] name = "tungstenite" -version = "0.20.1" +version = "0.21.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9e3dac10fd62eaf6617d3a904ae222845979aec67c615d1c842b4002c7666fb9" +checksum = "9ef1a641ea34f399a848dea702823bbecfb4c486f911735368f1f137cb8257e1" dependencies = [ "byteorder", "bytes", "data-encoding", - "http 0.2.11", + "http 1.0.0", "httparse", "log", "rand 0.8.5", - "rustls", + "rustls 0.22.2", + "rustls-pki-types", "sha1", "thiserror", "url", @@ -7335,6 +7351,15 @@ version = "0.25.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1778a42e8b3b90bff8d0f5032bf22250792889a5cdc752aa0020c84abe3aaf10" +[[package]] +name = "webpki-roots" +version = "0.26.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0de2cfda980f21be5a7ed2eadb3e6fe074d56022bea2cdeb1a62eb220fc04188" +dependencies = [ + "rustls-pki-types", +] + [[package]] name = "webrtc" version = "0.9.0" @@ -7354,7 +7379,7 @@ dependencies = [ "ring 0.17.7", "rtcp", "rtp", - "rustls", + "rustls 0.21.10", "sdp", "serde", "serde_json", @@ -7412,7 +7437,7 @@ dependencies = [ "rand_core 0.6.4", "rcgen", "ring 0.17.7", - "rustls", + "rustls 0.21.10", "sec1", "serde", "sha1", diff --git a/rust/connlib/clients/shared/Cargo.toml b/rust/connlib/clients/shared/Cargo.toml index e96b1d9b2..4fd26ab3a 100644 --- a/rust/connlib/clients/shared/Cargo.toml +++ b/rust/connlib/clients/shared/Cargo.toml @@ -25,7 +25,7 @@ webrtc = { workspace = true } url = { version = "2.4.1", features = ["serde"] } time = { version = "0.3.30", features = ["formatting"] } reqwest = { version = "0.11.22", default-features = false, features = ["stream", "rustls-tls"] } -tokio-tungstenite = { version = "0.20", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] } +tokio-tungstenite = { version = "0.21", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] } async-compression = { version = "0.4.3", features = ["tokio", "gzip"] } hickory-resolver = { workspace = true, features = ["tokio-runtime"] } parking_lot = "0.12" diff --git a/rust/connlib/shared/Cargo.toml b/rust/connlib/shared/Cargo.toml index 174850da6..c1d39cc2f 100644 --- a/rust/connlib/shared/Cargo.toml +++ b/rust/connlib/shared/Cargo.toml @@ -27,7 +27,7 @@ serde_json = { version = "1.0", default-features = false, features = ["std"] } thiserror = { version = "1.0", default-features = false } tokio = { version = "1.33", default-features = false, features = ["rt", "rt-multi-thread"]} tokio-stream = { version = "0.1", features = ["time"] } -tokio-tungstenite = { version = "0.20", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] } +tokio-tungstenite = { version = "0.21", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] } tracing = { workspace = true } tracing-appender = "0.2" url = { version = "2.4.1", default-features = false } diff --git a/rust/gateway/Cargo.toml b/rust/gateway/Cargo.toml index 70ca7aac6..a5470902e 100644 --- a/rust/gateway/Cargo.toml +++ b/rust/gateway/Cargo.toml @@ -22,7 +22,7 @@ phoenix-channel = { workspace = true } secrecy = { workspace = true } serde = { version = "1.0", default-features = false, features = ["std", "derive"] } tokio = { version = "1.33", default-features = false, features = ["sync", "macros", "rt-multi-thread"] } -tokio-tungstenite = { version = "0.20", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] } +tokio-tungstenite = { version = "0.21", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] } tracing = { workspace = true } tracing-subscriber = "0.3.17" url = { version = "2.4.1", default-features = false } diff --git a/rust/phoenix-channel/Cargo.toml b/rust/phoenix-channel/Cargo.toml index f56bfa537..372606a38 100644 --- a/rust/phoenix-channel/Cargo.toml +++ b/rust/phoenix-channel/Cargo.toml @@ -8,7 +8,7 @@ edition = "2021" [dependencies] secrecy = { workspace = true } -tokio-tungstenite = { version = "0.20.1", features = ["rustls-tls-native-roots"] } +tokio-tungstenite = { version = "0.21.0", features = ["rustls-tls-webpki-roots"] } futures = "0.3.29" base64 = "0.21.7" serde = { version = "1.0.190", features = ["derive"] }