Migrate from rustls to openssl #25
Conversation
* Update library to use openssl instead of rustls * Include docstring in lib module
|
@Kixunil, what do you thing of this proposal to migrate to openssl |
|
To be completely honest, after recent fiascos with vulnerabilities in OpenSSL the idea of forcing it onto users seems disgusting and scary. It also make building the library more annoying. I'd be fine with optional support that is off by default. I think that ideally whichever limitations Rustls has should be resolved by improving Rustls or some workaround. |
|
Did a bit of digging around and found this: rustls/rustls#1032 I think this is the way to go. This library has custom verification which simply compares the certificate against the expected one (which is usually better for LND anyway) and thus IP address should work. It may require upgrading rustls though and maybe we'll hit MSRV issues. If you could look into it it'd be nice. If we hit these issues I will look at a possible solution myself. |
|
Ack. on feedback. marking this PR draft while I look into the alternative path suggested |
|
Presently attempting an upgrade to rustls v0.20.8 and I've observed lot's of breaking changes to be worked through. |
|
Not the direction to go! |
In the interest of moving forward with the proposals on PR #20 , this PR cherry picks migration from rustls to openssl for the TLS certificate handling, introduced by @yzernik because of #17.
closes #17