Rm dep openssl

[NobodyXu]

This is split from #1738 , to remove dependency on openssl in src/bin/sccache-dist/token_check.rs.

This also disabled default-feature of reqwest and dev-dep thirtyfour_sync which pulled in openssl which was a mistake in #1737 since I didn't realize that reqwest pulls in openssl by default.

Signed-off-by: Jiahao XU Jiahao_XU@outlook.com

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 0% with 13 lines in your changes missing coverage. Please review.

Project coverage is 30.66%. Comparing base (6ff88eb) to head (99f01f9).
Report is 216 commits behind head on main.

Files with missing lines	Patch %	Lines
src/util.rs	0.00%	12 Missing ⚠️
src/dist/http.rs	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1742      +/-   ##
==========================================
- Coverage   30.87%   30.66%   -0.21%     
==========================================
  Files          51       51              
  Lines       19419    19505      +86     
  Branches     9348     9425      +77     
==========================================
- Hits         5995     5981      -14     
- Misses       7790     7955     +165     
+ Partials     5634     5569      -65     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sylvestre]

I guess you saw : error[E0599]: the method context exists for enum Result<UintRef<'_>, Error>, but its trait bounds were not satisfied
--> src/bin/sccache-dist/token_check.rs:41:44
|
41 | let e_bn = pkcs1::UintRef::new(&e).context("Failed to create pkcs1 bignum from e")?;

[NobodyXu]

@sylvestre Thanks, I have fixed this error.

[NobodyXu]

This PR is currently blocked on RustCrypto/formats#1013 to avoid pkcs8 to be pulled in.

[NobodyXu]

That PR has merged, but latest der v0.7.4 also requires rust 1.65.0

Since current msrv for sccache is 1.64.0, I think it's ok to bump it to 1.65.0

[NobodyXu]

Blocked on tomaka/rouille#272

[NobodyXu]

@Xuanwo Can we re-open this?
I didn't know that using the fix to refer to a PR would close it.

[NobodyXu]

Thank you @Xuanwo !
Once tomaka/rouille#272 is merged, I will mark this PR as ready-to-review.

[NobodyXu]

@sylvestre It seems that disabling default-feature default-tls of reqwest (which pulls in openssl) might be what breaks the "ci / test ubuntu-22.04 rust 1.65.0 dist-server".

It seems that reqwest prefers openssl when it is enabled by default, so when we disable default-tls, we forces reqwest to use rustls and that seems to be what causes the failure.

[NobodyXu]

The error in "ci/test ubuntu-22.04 rust 1.65.0 dist-server" actually changed to:

test test_dist_basic ... FAILED
[2023-04-24T13:54:52Z DEBUG sccache::config] Attempting to read config file at "/tmp/sccache_dist_testvfnrqa/sccache-cfg.json"
test test_dist_failingserver ... sccache: Starting the server...
[2023-04-24T13:54:52Z DEBUG sccache::config] Attempting to read config file at "/tmp/sccache_dist_testvfnrqa/sccache-cfg.json"
[2023-04-24T13:55:22Z ERROR rustls::conn] TLS alert received: AlertMessagePayload {
        level: Fatal,
        description: BadCertificate,
    }
ok
[2023-04-24T13:55:22Z DEBUG sccache::config] Attempting to read config file at "/tmp/sccache_dist_testiVFYye/sccache-cfg.json"
test test_dist_nobuilder ... sccache: Starting the server...
[2023-04-24T13:55:22Z DEBUG sccache::config] Attempting to read config file at "/tmp/sccache_dist_testiVFYye/sccache-cfg.json"
ok
test test_dist_restartedserver ... FAILED

failures:

error: test failed, to rerun pass `--test dist`
---- test_dist_basic stdout ----
thread 'main' panicked at 'wait timed out, last error result: Connection refused (os error 111)', tests/harness/mod.rs:649:5
stack backtrace:
   0: rust_begin_unwind
             at /rustc/897e37553bba8b42751c67658967889d11ecd120/library/std/src/panicking.rs:584:5
   1: core::panicking::panic_fmt
             at /rustc/897e37553bba8b42751c67658967889d11ecd120/library/core/src/panicking.rs:142:14
   2: dist::harness::wait_for
             at ./tests/harness/mod.rs:649:5
   3: dist::harness::wait_for_http
             at ./tests/harness/mod.rs:622:5
   4: dist::harness::DistSystem::wait_server_ready
             at ./tests/harness/mod.rs:442:9
   5: dist::harness::DistSystem::add_server
             at ./tests/harness/mod.rs:383:9
   6: dist::test_dist_basic
             at ./tests/dist.rs:73:5
   7: dist::test_dist_basic::{{closure}}
             at ./tests/dist.rs:63:1
   8: core::ops::function::FnOnce::call_once
             at /rustc/897e37553bba8b42751c67658967889d11ecd120/library/core/src/ops/function.rs:248:5
   9: core::ops::function::FnOnce::call_once
             at /rustc/897e37553bba8b42751c67658967889d11ecd120/library/core/src/ops/function.rs:248:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

[NobodyXu]

Seems like rustls failed due to bad certificate.
Since this also happened in #1739, I don't think the changes to create_https_cert_and_privkey is responsible for this.

[NobodyXu]

@drahnr I've updated reqwest to v0.11.8 and rustls to v0.21.0, it indeed fixed the bad certificate error, but now we got a new error:

[2023-05-17T02:11:22Z ERROR rustls::conn] TLS alert received: AlertMessagePayload {
        level: Fatal,
        description: UnknownCA,
    }

Seems like it rejects the certificate due to unknown ca, but not sure how to fix this.

[drahnr]

Could you add a feature gated test, that verifies the certificates generated are identical? It appears the issue seen after porting can originate from a variety of name validation issues i.e. https://github.com/briansmith/webpki/issues/20 so I'd recommend to check consistency against the openssl generated cert first, verify such a openssl generated cert with the logic of rustls and then start debugging into the unit test that should start failing.

[drahnr]

If it's not your cup of tea, leave a message here :)

[NobodyXu]

I can certainly add a new unit test to ensure the two different methods produces identical certificates, but I'm a bit busy recently

[NobodyXu]

Although I don't think this is caused by https://github.com/briansmith/webpki/issues/20
dist-server CI uses a self-signed CA AFAIK, so it naturally does not have a ca and it matches the error message from rustls:

[2023-05-17T02:11:22Z ERROR rustls::conn] TLS alert received: AlertMessagePayload {
        level: Fatal,
        description: UnknownCA,
    }

In fact the new ca generation code explicitly excludes ca.

[saiintbrisson]

Some input here #1742 (comment)

[drahnr]

Do we have an integration test to verify 1:1 reproduction of the certificate? We'd need that for the dist case to remain backward compatible with older "clients".

[NobodyXu]

No, I'm going to write this by running external openssl command.

[drahnr]

You only need to include a previously generated certificate (i.e. from the current master/main branch), and include it as a reference to compare against / ensure compatibility with.

[NobodyXu]

@drahnr I don't think it's possible, since the original openssl and the new code both uses the current time when creating the certificate.

Otherwise I could just use a statically embedded certificate.

[drahnr]

a. generate with rustls directly
b. openssl -> file fmt -> parse certificate with rustls

Compare all fields of a and b, except for those that are reasonable to expect to deviate.

[sylvestre]

Thanks & no worries, no rush :)

[drahnr]

Side quest @sylvestre - we should consider using cargo-deny to prevent future regressions on accidentally re-adding openssl through dependencies.

[sylvestre]

Yes, sounds good :)

[NobodyXu]

I'm currently trying to upgrade trust-dns to hickory-dns v0.24 by using ClientBuilder::dns_resolver, however it seems that this method isn't present in the blocking version of client used in utils::new_reqwest_blocking_client

[Xuanwo]

however it seems that this method isn't present in the blocking version of client used in utils::new_reqwest_blocking_client

hickory-dns only provides async API and it's blocking API is a tokio::block_on wrapper.

Maybe it's ok to just use libc's dns resovler in blocking API?

[NobodyXu]

Maybe it's ok to just use libc's dns resovler in blocking API?

That's a good advice, I've applied it and hope that the CI will succeed.

[NobodyXu]

Updated trust-dns-resolver v0.22 to latest v0.24 (renamed to hickory-dns) and also updates webpki-roots to v0.25.

Confirmed that rustls v0.21 has been removed, but CI failure persists.

I think it's likely something in the certificate generation that caused the error.

[sylvestre]

Sorry, needs rebasing

[NobodyXu]

Sorry I was a bit busy recently, will rebase when I got time.

And the CI error is really tricky, I wasn't able to get it fixed.

[AJIOB]

What about moving it to the dedicated .rs file?

[Xuanwo]

Try reqwest-hickory-resolver that maintained by me 😄

[AJIOB]

Hi @NobodyXu,

Do you have a time for finalizing this PR?

[NobodyXu]

Hello

Honestly I don't know how to fix the CI failure.

I don't know openssl good enough and don't have much time recently.

[sylvestre]

please reopen when ready

[NobodyXu]

Unfortunately I don't have any time now to continue working, so someone else can take over it if they have time and is interested in it