CfT: Test out Rustup's `reqwest` backend with `rustls`

[rami3l]

In #3790, we have started an initiative to make reqwest/rustls Rustup's future download/TLS backend combination.

While a maximally-Rust stack might sound exciting, we want to get it tested beforehand to minimize the possibility for you to experience hiccups in production.

We encourage you to try out this new backend from today on Rustup v1.27+ by setting the environment variable RUSTUP_USE_RUSTLS=1 [^1] and share your experiences below.

Many thanks in advance 🙇‍♀️

Note

You can report in this issue the changes that switching to rustls has made to your workflow, so I assume most of them are breakages: what worked before but now doesn’t work with rustls (although it could also be the opposite, i.e. what didn't work but now works with rustls).

If you can’t feel any difference, that’s actually a good news for us! Just reacting with 😄[^2] to this message would be perfect in this case :)

[^1]: Please make sure that RUSTUP_USE_CURL is NOT set, otherwise the curl download backend will be selected.

### Tasks
- [ ] https://github.com/rust-lang/rustup/issues/3820
- [ ] https://github.com/rust-lang/rustup/pull/3979

[^2]: GitHub has recently replaced the emoji with 😂, I have no idea why this is the case 🤷‍♀

[U007D]

LGTM! 👍🏾

[rami3l]

An interesting observation by @llde indicates that this change might be a move in the right direction!

RUSTUP_USE_RUSTLS=1 seems to be another workaround with last rustup version.

https://github.com/rust-lang/rustup/issues/3689#issuecomment-2094159776

[U007D]

This CfT has been added to TWiR Issue 546.

You may now remove the call-for-testing label. Please feel free to re-add the label if you wish this CfT to appear again in a future issue.

[kornelski]

Rustls is completely unusable with the WARP Gateway (a corporate VPN) due to lack of support for p521 signatures.

RUSTUP_USE_RUSTLS=1 rustup update
info: syncing channel updates for 'stable-aarch64-apple-darwin'
error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256' to '~/.rustup/tmp/pnvxaiia4u2hcr_n_file'
info: syncing channel updates for 'nightly-aarch64-apple-darwin'
error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-nightly.toml.sha256' to '~/.rustup/tmp/ay1l00g5xg91pnuc_file'
info: syncing channel updates for '1.63-aarch64-apple-darwin'
error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-1.63.toml.sha256' to '~/.rustup/tmp/0oaqi61f4mgwqa4n_file'
info: syncing channel updates for '1.64-aarch64-apple-darwin'
error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-1.64.toml.sha256' to '~/.rustup/tmp/9rhc8csclaotwleh_file'
info: syncing channel updates for '1.65-aarch64-apple-darwin'
error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-1.65.toml.sha256' to '~/.rustup/tmp/26d6fm0my9i9sgvg_file'
info: checking for self-update
error: could not download file from 'https://static.rust-lang.org/rustup/release-stable.toml' to '/var/folders/lq/fqqfw_z50v96h8tlkj56c8wc0000gn/T/rustup-update5PMZuE/release-stable.toml'

Caused by:
    0: failed to make network request
    1: error sending request for url (https://static.rust-lang.org/rustup/release-stable.toml): error trying to connect: invalid peer certificate: BadSignature
    2: error trying to connect: invalid peer certificate: BadSignature
    3: invalid peer certificate: BadSignature

The curl backend has no problems with it.

[djc]

@kornelski interesting... So WARP MITMs all connections, and only supports P521 for this? That seems pretty restrictive and a little surprising. Or is this configurable for WARP and does your WARP org require the stronger curve?

https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/ suggests that RSA is supported for custom roots so it doesn't look like P521 is a requirement for the product itself?