Deno: Provide a way to use openssl instead of rustls
I have problem with sending https requests to https://api.kavenegar.com/v1, rustls throws this error:
Uncaught Http: error sending request for url (https://api.kavenegar.com/v1): error trying to connect: Connection reset by peer (os error 104)
Unfortunately, their decision criteria is not rustls and they have no plans to change.
So, It would be nice to have a solution that we can use openssl instead of rustls (like a flag ...)
related to: #6197
erfanium
All 8 comments
Unfortunately, their decision criteria is not rustls and they have no plans to change.
Whose decision criteria? Who is they? What should be changed? I assume this site just uses some outdated or obsolete TLS configuration which rustls does not support.
lucacasonato
on 17 Sep 2020
@lucacasonato
Who is they?
kavenegar.com team
What should be changed?
Their certificate to work with rustls.
I assume this site just uses some outdated or obsolete TLS configuration which rustls does not support.
Because there's no problem with major ssl/tls libraries like openssl and golang/tls, They told me the problem is with your client, not us.
Unfortunately, I don't know why rustls has a problem with api.kavenegar.com, but when I manually use default openssl feature with reqwest client, There is no problem anymore.
You can reproduce this problem with this code:
fetch("https://api.kavenegar.com/v1").then(console.log) // expect `404 not found` error but throws 104 os error
@erfanium If openssl, Chrome, and Firefox work with this site, maybe the issue is in rustls. Maybe opening an issue there to see what is going on would help.
lucacasonato
on 17 Sep 2020
@lucacasonato I will definitely do that, But it might not be bad for Deno to support both rustls and openssl, because reqwest support them as well, It's very easy to add this feature
erfanium
on 17 Sep 2020
Its not actually very easy - we use rustls extensively outside of reqwest. e.g Deno.connectTls(), Deno.listenTls(), the WebSocket API. Also we have rustls specific code everywhere we use certificates. Also, adding a feature flag for openssl would double the time tests need to run, because all tests need to work in rustls and openssl.
lucacasonato
on 17 Sep 2020
@lucacasonato
Unfortunately rustls has poor support for semi-old protocols (Compared to similar ones): https://github.com/ctz/rustls#non-features. What's Deno's view on this issue? Does Deno ever have a plan to support these?
erfanium
on 18 Sep 2020
There is a reason they do not support these protocols. From rustls readme:
The following things are broken, obsolete, badly designed, underspecified, dangerous and/or insane.
I think it is a good idea to not support broken security protocols. People should just update their servers to support more secure protocols. We collectively managed to do this with TLS1.0 and TLS1.1, so we should be capable of doing this with other features too.
lucacasonato
on 18 Sep 2020
I also agree that we should not be keen on supporting _broken, obsolete, badly designed, underspecified, dangerous and/or insane_ security protocols. Thanks for raising the issue, but I am going to close it, as it would be challenging to allow replacement of rustls and generally unaligned to some of the Deno objectives. Based on that I am going to close for now.
kitsonk
on 23 Sep 2020
Related issues
ry
·
3Comments
ry
·
3Comments
justjavac
·
3Comments
metakeule
·
3Comments
xueqingxiao
·
3Comments
Most helpful comment
Its not actually very easy - we use
rustlsextensively outside ofreqwest. e.gDeno.connectTls(),Deno.listenTls(), the WebSocket API. Also we have rustls specific code everywhere we use certificates. Also, adding a feature flag foropensslwould double the time tests need to run, because all tests need to work inrustlsandopenssl.