okjodom
commented
1 year ago @Kixunil, what do you thing of this proposal to migrate to openssl
Closed okjodom closed 1 year ago
okjodom
commented
1 year ago @Kixunil, what do you thing of this proposal to migrate to openssl
Kixunil
commented
1 year ago To be completely honest, after recent fiascos with vulnerabilities in OpenSSL the idea of forcing it onto users seems disgusting and scary. It also make building the library more annoying. I'd be fine with optional support that is off by default.
I think that ideally whichever limitations Rustls has should be resolved by improving Rustls or some workaround.
Kixunil
commented
1 year ago Did a bit of digging around and found this: https://github.com/rustls/rustls/pull/1032
I think this is the way to go. This library has custom verification which simply compares the certificate against the expected one (which is usually better for LND anyway) and thus IP address should work. It may require upgrading rustls though and maybe we'll hit MSRV issues. If you could look into it it'd be nice. If we hit these issues I will look at a possible solution myself.
okjodom
commented
1 year ago Ack. on feedback. marking this PR draft while I look into the alternative path suggested
okjodom
commented
1 year ago Presently attempting an upgrade to rustls v0.20.8 and I've observed lot's of breaking changes to be worked through.
okjodom
commented
1 year ago Not the direction to go!
In the interest of moving forward with the proposals on PR #20 , this PR cherry picks migration from rustls to openssl for the TLS certificate handling, introduced by @yzernik because of https://github.com/Kixunil/tonic_lnd/issues/17.
closes #17