chore: update openssl and openssl-sys in Cargo.toml, update Cargo.lock

[MaikeR-TV]

We want to update our OpenSSL to v4 (new API, no deprecations) and this requires newer versions for the rust openssl and openssl-sys crates.

Fixes: Cannot build driver with OpenSSL 4 (new API, no deprecations)

• I have split my patch into logically separate commits.
• All commit messages clearly explain what they change and why.
• PR description sums up the changes and reasons why they should be introduced.
• I have implemented Rust unit tests for the features/changes introduced.
• I have enabled appropriate tests in Makefile in {SCYLLA,CASSANDRA}_(NO_VALGRIND_)TEST_FILTER.
• I added appropriate Fixes: annotations to PR description.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• scylla-rust-wrapper/Cargo.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: d976ca1d-b021-4ac1-ac5d-e4074f2dfc11

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR updates two OpenSSL-related dependencies in scylla-rust-wrapper/Cargo.toml. The openssl-sys crate is bumped from version 0.9.75 to 0.9.114, and the openssl crate is bumped from 0.10.32 to 0.10.78. No other manifest entries, features, or configuration sections are altered.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating OpenSSL-related dependencies in Cargo.toml and Cargo.lock.
Description check	✅ Passed	The description covers the reason for changes (OpenSSL 4 support) and includes a Fixes annotation, but lacks detail on testing approach and rationale for the specific version bumps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wprzytula]

❓ Is there any reason to bump versions here?

Cargo.toml specifies minimal versions of dependencies, while Cargo.lock chooses the actual used versions. As you can see, we already used newer versions (openssl 0.10.75, openssl-sys 0.9.111) than Cargo.toml specified (openssl 0.10.32, openssl-sys 0.9.75)

[MaikeR-TV]

From our research, minimal version of openssl is openssl-v0.10.78 and for openssl-sys it's openssl-sys-v0.9.114 in order to support OpenSSL 4.
So the minimal version in this Cargo.toml should reflect that.

[wprzytula]

I'm not opposed. I was just curious why update the Cargo.toml for that, when Cargo.lock update would achieve the same.

[wprzytula]

cc @Lorak-mmk

[wprzytula]

Cargo.toml should, in general, specify the lowest viable dependency versions for the application to work correctly; Cargo.lock should specify the actual used versions.

Now, there may be users that want to use an older openssl crate in their driver build. For that, they'll specify a lower dep version in the Cargo.lock; they know they can safely do that as long as Cargo.toml allows for that.

[wprzytula]

@MaikeR-TV WDYT?

[MaikeR-TV]

I was wondering about the failing checks on the PR build.

You're suggesting to only update the lock file with this merge request and leave the toml as the update is not necessary in general, depending on the OpenSSL version that consumers use?
I can update the PR.

[wprzytula]

I was wondering about the failing checks on the PR build.

They are unrelated to this PR, I'm working on fixing them.

You're suggesting to only update the lock file with this merge request and leave the toml as the update is not necessary in general, depending on the OpenSSL version that consumers use? I can update the PR.

Indeed. Please update it.