Update tokio-tungstenite to fix webpki vuln (#2181)

Fixes https://github.com/firezone/firezone/security/dependabot/75 Fixes https://github.com/firezone/firezone/security/dependabot/72
2026-01-27 10:18:54 +00:00 · 2023-10-02 12:35:42 -07:00
parent 1e26c1cea8
commit cd5a57f413
7 changed files with 81 additions and 35 deletions
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -37,6 +37,21 @@ jobs:
        run: docker compose up -d
      - name: Test that client can ping resource
        run: docker compose exec -it client timeout 60 bash -c 'until ping -W 1 -c 1 172.20.0.100 &>/dev/null; do true; done'
+      - name: Show Client logs
+        if: '!cancelled()'
+        run: docker compose logs client
+      - name: Show Relay logs
+        if: '!cancelled()'
+        run: docker compose logs relay
+      - name: Show Gateway logs
+        if: '!cancelled()'
+        run: docker compose logs gateway
+      - name: Show API logs
+        if: '!cancelled()'
+        run: docker compose logs api
+      - name: Show httpbin logs
+        if: '!cancelled()'
+        run: docker compose logs httpbin


  integration-test_relayed-flow:
@@ -76,3 +91,18 @@ jobs:
          sudo iptables -I FORWARD 1 -s  172.28.0.105 -d 172.28.0.100 -j DROP
      - name: Test that client can ping resource
        run: docker compose exec -it client timeout 60 bash -c 'until ping -W 1 -c 1 172.20.0.100 &>/dev/null; do true; done'
+      - name: Show Client logs
+        if: '!cancelled()'
+        run: docker compose logs client
+      - name: Show Relay logs
+        if: '!cancelled()'
+        run: docker compose logs relay
+      - name: Show Gateway logs
+        if: '!cancelled()'
+        run: docker compose logs gateway
+      - name: Show API logs
+        if: '!cancelled()'
+        run: docker compose logs api
+      - name: Show httpbin logs
+        if: '!cancelled()'
+        run: docker compose logs httpbin
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -362,6 +362,7 @@ services:

 networks:
  resources:
+    enable_ipv6: false
    ipam:
      config:
        - subnet: 172.20.0.0/16
--- a/rust/Cargo.lock
+++ b/rust/Cargo.lock
@@ -1189,7 +1189,7 @@ dependencies = [
 "serde_json",
 "time",
 "tokio",
- "tokio-tungstenite",
+ "tokio-tungstenite 0.20.1",
 "tokio-util",
 "tracing",
 "tracing-android",
@@ -1215,7 +1215,7 @@ dependencies = [
 "serde",
 "serde_json",
 "tokio",
- "tokio-tungstenite",
+ "tokio-tungstenite 0.20.1",
 "tracing",
 "url",
 "webrtc",
@@ -1902,7 +1902,7 @@ dependencies = [
 "thiserror",
 "tokio",
 "tokio-stream",
- "tokio-tungstenite",
+ "tokio-tungstenite 0.20.1",
 "tracing",
 "tracing-android",
 "tracing-appender",
@@ -2454,7 +2454,7 @@ dependencies = [
 "serde_json",
 "thiserror",
 "tokio",
- "tokio-tungstenite",
+ "tokio-tungstenite 0.19.0",
 "tracing",
 "url",
 ]
@@ -2848,7 +2848,7 @@ dependencies = [
 "wasm-bindgen-futures",
 "wasm-streams",
 "web-sys",
- "webpki-roots 0.25.2",
+ "webpki-roots",
 "winreg",
 ]

@@ -2996,7 +2996,7 @@ checksum = "cd8d6c9f025a446bc4d18ad9632e69aec8f287aa84499ee335599fabd20c3fd8"
 dependencies = [
 "log",
 "ring 0.16.20",
- "rustls-webpki 0.101.6",
+ "rustls-webpki",
 "sct 0.7.0",
 ]

@@ -3021,16 +3021,6 @@ dependencies = [
 "base64 0.21.4",
 ]

-[[package]]
-name = "rustls-webpki"
-version = "0.100.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f6a5fc258f1c1276dfe3016516945546e2d5383911efc0fc4f1cdc5df3a4ae3"
-dependencies = [
- "ring 0.16.20",
- "untrusted 0.7.1",
-]
-
 [[package]]
 name = "rustls-webpki"
 version = "0.101.6"
@@ -3702,8 +3692,22 @@ dependencies = [
 "rustls-native-certs",
 "tokio",
 "tokio-rustls",
- "tungstenite",
- "webpki-roots 0.23.1",
+ "tungstenite 0.19.0",
+]
+
+[[package]]
+name = "tokio-tungstenite"
+version = "0.20.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "212d5dcb2a1ce06d81107c3d0ffa3121fe974b73f068c8282cb1c32328113b6c"
+dependencies = [
+ "futures-util",
+ "log",
+ "rustls 0.21.7",
+ "tokio",
+ "tokio-rustls",
+ "tungstenite 0.20.1",
+ "webpki-roots",
 ]

 [[package]]
@@ -3994,7 +3998,27 @@ dependencies = [
 "thiserror",
 "url",
 "utf-8",
- "webpki 0.22.1",
+ "webpki 0.22.2",
+]
+
+[[package]]
+name = "tungstenite"
+version = "0.20.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e3dac10fd62eaf6617d3a904ae222845979aec67c615d1c842b4002c7666fb9"
+dependencies = [
+ "byteorder",
+ "bytes",
+ "data-encoding",
+ "http",
+ "httparse",
+ "log",
+ "rand",
+ "rustls 0.21.7",
+ "sha1 0.10.6",
+ "thiserror",
+ "url",
+ "utf-8",
 ]

 [[package]]
@@ -4278,23 +4302,14 @@ dependencies = [

 [[package]]
 name = "webpki"
-version = "0.22.1"
+version = "0.22.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f0e74f82d49d545ad128049b7e88f6576df2da6b02e9ce565c6f533be576957e"
+checksum = "07ecc0cd7cac091bf682ec5efa18b1cff79d617b84181f38b3951dbe135f607f"
 dependencies = [
- "ring 0.16.20",
+ "ring",
 "untrusted 0.7.1",
 ]

-[[package]]
-name = "webpki-roots"
-version = "0.23.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b03058f88386e5ff5310d9111d53f48b17d732b401aeb83a8d5190f2ac459338"
-dependencies = [
- "rustls-webpki 0.100.3",
-]
-
 [[package]]
 name = "webpki-roots"
 version = "0.25.2"
--- a/rust/connlib/libs/client/Cargo.toml
+++ b/rust/connlib/libs/client/Cargo.toml
@@ -25,7 +25,7 @@ url = { version = "2.4.1", features = ["serde"] }
 time = { version = "0.3.29", features = ["formatting"] }
 reqwest = { version = "0.11.20", default-features = false, features = ["stream", "rustls-tls"] }
 rand = { version = "0.8", default-features = false, features = ["std"] }
-tokio-tungstenite = { version = "0.19", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] }
+tokio-tungstenite = { version = "0.20", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] }

 [target.'cfg(target_os = "android")'.dependencies]
 tracing = { workspace = true, features = ["std", "attributes"] }
--- a/rust/connlib/libs/common/Cargo.toml
+++ b/rust/connlib/libs/common/Cargo.toml
@@ -24,7 +24,7 @@ serde_json = { version = "1.0", default-features = false, features = ["std"] }
 thiserror = { version = "1.0", default-features = false }
 tokio = { version = "1.32", default-features = false, features = ["rt", "rt-multi-thread"]}
 tokio-stream = { version = "0.1", features = ["time"] }
-tokio-tungstenite = { version = "0.19", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] }
+tokio-tungstenite = { version = "0.20", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] }
 tracing = { workspace = true }
 tracing-appender = "0.2"
 url = { version = "2.4.1", default-features = false }
--- a/rust/connlib/libs/gateway/Cargo.toml
+++ b/rust/connlib/libs/gateway/Cargo.toml
@@ -17,7 +17,7 @@ backoff = { workspace = true }
 webrtc = "0.8"
 url = { version = "2.4.1", default-features = false }
 rand = { version = "0.8", default-features = false, features = ["std"] }
-tokio-tungstenite = { version = "0.19", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] }
+tokio-tungstenite = { version = "0.20", default-features = false, features = ["connect", "handshake", "rustls-tls-webpki-roots"] }

 [dev-dependencies]
 serde_json = { version = "1.0", default-features = false, features = ["std"] }
--- a/rust/phoenix-channel/Cargo.toml
+++ b/rust/phoenix-channel/Cargo.toml
@@ -7,7 +7,7 @@ edition = "2021"

 [dependencies]
 secrecy = { workspace = true }
-tokio-tungstenite = { version = "0.19.0", features = ["rustls-tls-native-roots"] }
+tokio-tungstenite = { version = "0.19", features = ["rustls-tls-native-roots"] }
 futures = "0.3.28"
 base64 = "0.21.4"
 serde = { version = "1.0.188", features = ["derive"] }