Support TLS v1.3 on all platforms#229
Merged
Hywan merged 1 commit intomatrix-org:mainfrom Mar 10, 2026
Merged
Conversation
1 task
|
@mgoldenberg: Thanks for your PR! |
Hywan
approved these changes
Mar 9, 2026
Member
Hywan
left a comment
Hywan
left a comment
There was a problem hiding this comment.
There we go! Can you resolve the conflict please?
Signed-off-by: Michael Goldenberg <m@mgoldenberg.net>
mgoldenberg
force-pushed
the
support-tls-1.3
branch
from
5d487df to
460a6e9
Compare
Hywan
pushed a commit
to matrix-org/matrix-rust-sdk
that referenced
this pull request
Mar 10, 2026
**Note:** _this pull request has a companion pull request in the [`complement-crypto`](matrix-org/complement-crypto#229) repository, which must be merged in conjunction with this one._ _Before merging, this should be tested in conjunction with the Element X iOS client to ensure that TLS v1.3 is working properly._ @stefanceriu has agreed to work on this. ## Overview The primary change in this pull request upgrades the `reqwest` dependency to its latest version, which defaults to using `rustls` with support for `rustls-platform-verifier` instead of `native-tls` (see [`reqwest@0.13.0`](https://github.com/seanmonstar/reqwest/releases/tag/v0.13.0)). The benefit here is that `rustls` supports TLS v1.3 on all platforms, whereas [`native-tls` does not](rust-native-tls/rust-native-tls#278). Additionally, this pull request makes `rustls` the default TLS implementation in all the crates in this repository. This will be particularly helpful with element-hq/element-x-ios#786. ## Changes - `reqwest` bumped to `0.13.1` - The API for adding/replacing certificates has changed a bit, so this required some updating in `HttpSettings::make_client` - `oauth2-reqwest` added in favor of `oauth2/reqwest` - This is required in order to be compatible with `reqwest^0.13` - _**`oauth2-reqwest` is currently in alpha release, so it probably makes sense to let this stabilize a bit.**_ For details, see ramosbugs/oauth2-rs#333 (comment). - `getrandom` bumped to `0.3.4` - This is required in order to be compatible with `oauth2@5.1.0` - `proptest` bumped to `1.9.0` - This is required in order to be compatible with `getrandom@0.3.4` - Make `rustls` the default TLS implementation ## Questions ### Mirror feature flag names? A number of feature flags have been replaced in the dependencies above. 1. _**`reqwest/rustls-tls` => `reqwest/rustls`**_ - this is simply a name change, but is semantically identical (see [`reqwest@0.13.0`](https://github.com/seanmonstar/reqwest/releases/tag/v0.13.0)). 2. _**`getrandom/js` => `getrandom/wasm_js`**_ - the semantics here have changed slightly, but it seems to just make it easier to enable the `wasm_js` backend (see [`getrandom@0.3.4`](https://github.com/rust-random/getrandom/blob/master/CHANGELOG.md#major-change-to-wasm_js-backend)). At any rate, I have updated references to these flags in each of the various `Cargo.toml` files, but have not changed the names of our exposed features to mimic those in the dependencies. Any thoughts or preferences on whether to mirror those names? That would, of course, result in a breaking change. ### Default to using `rustls`? Deprecate `native-tls`? Now that the dependencies have all been bumped, we can use `rustls` on all platforms. Should this be the new default given that `native-tls` will very likely never support TLS v1.3 on Apple devices? And should `native-tls` be deprecated as a result? **UPDATE:** _The consensus here seems to be that we should default to using `rustls`, but that `native-tls` should still be available._ --- Fixes #5800. - [ ] Public API changes documented in changelogs (optional) Signed-off-by: Michael Goldenberg <m@mgoldenberg.net> --------- Signed-off-by: Michael Goldenberg <m@mgoldenberg.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a companion pull request to matrix-org/matrix-rust-sdk#6053, which makes
rustlsthe default TLS implementation for thematrix-rust-sdk. The benefit here is thatrustlssupports TLS v1.3 on all platforms, whereasnative-tlsdoes not.