Skip to content

Set rustls crypto provider explicitly#3590

Merged
itowlson merged 2 commits into
spinframework:mainfrom
ChihweiLHBird:fix/explicit-rustls-crypto-provider
Jul 1, 2026
Merged

Set rustls crypto provider explicitly#3590
itowlson merged 2 commits into
spinframework:mainfrom
ChihweiLHBird:fix/explicit-rustls-crypto-provider

Conversation

@ChihweiLHBird

Copy link
Copy Markdown
Contributor

Fixes #3104.

Summary

  • Install Spin's process-wide rustls crypto provider at startup.
  • Add a shared spin-trigger helper for the CLI and trigger harness paths.
  • Switch reqwest to the no-provider rustls feature so it uses the process default.

A follow up PR can change the provider from ring to aws-lc-rs and optionally upgrade reqwest to 0.13

@ChihweiLHBird ChihweiLHBird force-pushed the fix/explicit-rustls-crypto-provider branch 3 times, most recently from 6d11af2 to 610f136 Compare June 25, 2026 09:03
Comment thread Cargo.toml Outdated
redis = "0.32.5"
regex = "1"
reqwest = { version = "0.12", features = ["stream", "blocking", "rustls-tls-native-roots"] }
reqwest = { version = "0.12", features = ["stream", "blocking", "rustls-tls-native-roots-no-provider"] }

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this could be a breaking change for consumers of spin crates that use this workspace dependency.

Is this actually necessary? It looks like reqwest will use an already-installed provider: https://github.com/seanmonstar/reqwest/blob/797df2b96a88ee49a636337f87beebe87f6212fe/src/async_impl/client.rs#L583-L593

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not strictly needed, let me try changing it back.

@ChihweiLHBird ChihweiLHBird force-pushed the fix/explicit-rustls-crypto-provider branch from 610f136 to 5dd4936 Compare June 25, 2026 19:26
Comment thread src/bin/spin.rs Outdated

#[tokio::main]
async fn main() {
spin_trigger::crypto::install_default_crypto_provider();

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not clear to me why this is in spin_trigger.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or it can be in a dedicated crate?

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, maybe. I don't think there's a good place for it at the moment - maybe spin-common, but that's meant to be reserved for helpers and conventions, and I am cautious about putting load-bearing state in there. I am not sure. It's just that if I thought "where is that default crypto thingy" then spin-trigger would not be on my list of places to look. @lann any thoughts?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I put it into dedicated crate called spin-tls. Let me know if this works/looks better.

Comment thread crates/trigger/src/crypto.rs Outdated
Comment thread crates/trigger/src/cli.rs Outdated
@ChihweiLHBird ChihweiLHBird force-pushed the fix/explicit-rustls-crypto-provider branch 2 times, most recently from 44373b2 to 23a5013 Compare June 30, 2026 23:45
Signed-off-by: Zhiwei Liang <zhiwei.liang@zliang.me>
Signed-off-by: Zhiwei Liang <zhiwei.liang@zliang.me>
@ChihweiLHBird ChihweiLHBird force-pushed the fix/explicit-rustls-crypto-provider branch from 23a5013 to 425eac1 Compare June 30, 2026 23:49
@itowlson itowlson merged commit 1a0be4c into spinframework:main Jul 1, 2026
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Avoid automatic TLS crypto provider detection

3 participants