hyper 0.11?

[mssun]

Compared to 0.9, I guess hyper dropped openssl dependency and made it a pure rust library.

I wonder when snatch will move on to hyper 0.11 and give an option to decide whether to use openssl. OpenSSL can potentially introduce security issue.

This will give users an option to use pure Rust binary.

Same issue in snatch: https://github.com/derniercri/snatch/issues/76

[k0pernicus]

I began to update hyper in Zou, and it's more complicated than I thought (the use of Tokio makes the API more complex actually...). It may take a while - sorry for the delay.

[mssun]

Thanks for the update @k0pernicus . Take your time. I'm still looking forward to see a better Zou.

BTW, the TLS version of hyper is provided by:

• https://github.com/hyperium/hyper-tls

[k0pernicus]

Yep, I am using it ;-) No troubles with the HttpsConnector, just the Futures API that is... pretty complex to use

[k0pernicus]

So, after a night hacking with the 0.11 version of hyper, I think it's not relevant to migrate to this version currently. The 0.11 version deals with tokio in order to perform well async I/O - no blocking I/O in this version. We should see a difference in retrieving data, but I really think that it may be annoying to update now Zou as an async tool.

But, I will update the 0.9 version of hyper to the 0.10 one, which can resolve the version incompatibilities of OpenSSL ;-)

[k0pernicus]

This is the current state of the hyper-v0.10 branch:

• upgrading hyper v0.9 -> v0.10
• HTTP client (default)
• HTTPS client using hyper-openssl if the user is asking for an SSL connection.

The code is ugly, but the current process works, so I am updating the code. I will work also on user-friendly Exception errors.

[k0pernicus]

Update: the branch has been merged with devel ;-)

[mssun]

Thanks for the update.

I'm studying crypto/TLS library in Rust recently. I found that hyper-rustls could be a better option. The main reason is that it is based on rustls for TLS and ring for crypto. By using this crypto library chain, we can forget openssl. Using ring as the core crypto library has several advantages:

1. a (towards-pure) Rust library makes it more secure and safe, although it still has C code (from BoringSSL), they are working towards the safer direction IMO.
2. no longer need openssl library as a dependency

Refer:

• https://github.com/ctz/rustls
• https://github.com/briansmith/ring
• https://github.com/ctz/hyper-rustls

[k0pernicus]

Ok - I will explore the issue as soon as the code has been updated :-) Thanks for those awesome proposal!

[mssun]

HTTPS client using hyper-openssl if the user is asking for an SSL connection.

Another question is about using hyper-openssl, I guess hyper-tls is the official supported TLS (openssl) based hyper. Is there any specific reason choosing hyper-openssl?

Basically, there are two choices: hyper-tls vs hyper-rustls, i.e., openssl vs ring. I personally prefer to ring because of previous reasons.

[k0pernicus]

You are right, hyper-tls is the official crate to support TLS (openssl) using hyper. But, hyper-tls is supported by hyper only since the 0.11 version - not the 0.10 one.

To support TLS for 0.10, the must efficient (efficient = quick and reliable) way is to use hyper-openssl for now. As soon as I updated hyper, I will update too the crate to support TLS ;-)