refactor(server): migrate to rustls 0.23 and centralize TLS logic (#1389)

This commit upgrades the TLS stack to Rustls 0.23 Key changes: - Dependencies: Updated 'rustls' (v0.23), 'tokio-rustls' (v0.26), and 'actix-web' (v4.12.1). - Build Fix: Configured 'rustls' to use the 'ring' provider (disabling default 'aws-lc-rs') to ensure ARMv7 compatibility. - Refactor: Created 'server/src/tls.rs' to handle certificate loading (DRY). - LDAP: Updated 'ldap_server.rs' to use the new TLS module and Rustls APIs. - Healthcheck: Updated 'healthcheck.rs' to use Rustls 0.23 types.
2026-03-31 15:07:48 +01:00 · 2026-01-31 09:47:11 +01:00
parent d1904a2759
commit 6f94134fdc
7 changed files with 195 additions and 150 deletions
@@ -76,6 +76,7 @@ dependencies = [
 "actix-codec",
 "actix-rt",
 "actix-service",
+ "actix-tls",
 "actix-utils",
 "base64 0.22.1",
 "bitflags 2.10.0",
@@ -181,11 +182,11 @@ dependencies = [
 "futures-core",
 "impl-more",
 "pin-project-lite",
+ "rustls-pki-types",
 "tokio",
- "tokio-rustls 0.23.4",
+ "tokio-rustls 0.26.4",
 "tokio-util",
 "tracing",
- "webpki-roots 0.22.6",
 ]

 [[package]]
@@ -211,6 +212,7 @@ dependencies = [
 "actix-rt",
 "actix-server",
 "actix-service",
+ "actix-tls",
 "actix-utils",
 "actix-web-codegen",
 "bytes",
@@ -530,6 +532,28 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"

+[[package]]
+name = "aws-lc-rs"
+version = "1.15.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b7b6141e96a8c160799cc2d5adecd5cbbe5054cb8c7c4af53da0f83bb7ad256"
+dependencies = [
+ "aws-lc-sys",
+ "zeroize",
+]
+
+[[package]]
+name = "aws-lc-sys"
+version = "0.37.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c34dda4df7017c8db52132f0f8a2e0f8161649d15723ed63fc00c82d0f2081a"
+dependencies = [
+ "cc",
+ "cmake",
+ "dunce",
+ "fs_extra",
+]
+
 [[package]]
 name = "backtrace"
 version = "0.3.76"
@@ -788,6 +812,15 @@ version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a1d728cc89cf3aee9ff92b05e62b19ee65a02b5702cff7d5a377e32c6ae29d8d"

+[[package]]
+name = "cmake"
+version = "0.1.57"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75443c44cd6b379beb8c5b45d85d0773baf31cce901fe7bb252f4eff3008ef7d"
+dependencies = [
+ "cc",
+]
+
 [[package]]
 name = "color_quant"
 version = "1.1.0"
@@ -1284,6 +1317,12 @@ version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1435fa1053d8b2fbbe9be7e97eca7f33d37b28409959813daefc1446a14247f1"

+[[package]]
+name = "dunce"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
+
 [[package]]
 name = "either"
 version = "1.15.0"
@@ -1487,6 +1526,12 @@ version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "28dd6caf6059519a65843af8fe2a3ae298b14b80179855aeb4adc2c1934ee619"

+[[package]]
+name = "fs_extra"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"
+
 [[package]]
 name = "fslock"
 version = "0.2.1"
@@ -2700,7 +2745,7 @@ dependencies = [
 "once_cell",
 "quoted_printable",
 "rustls 0.21.12",
- "rustls-pemfile",
+ "rustls-pemfile 1.0.4",
 "serde",
 "socket2 0.4.10",
 "tokio",
@@ -2814,8 +2859,9 @@ dependencies = [
 "rand 0.8.5",
 "rand_chacha 0.3.1",
 "reqwest 0.11.27",
- "rustls 0.20.9",
- "rustls-pemfile",
+ "rustls 0.23.35",
+ "rustls-pemfile 2.2.0",
+ "rustls-pki-types",
 "sea-orm",
 "secstr",
 "serde",
@@ -2826,7 +2872,7 @@ dependencies = [
 "thiserror 2.0.17",
 "time",
 "tokio",
- "tokio-rustls 0.23.4",
+ "tokio-rustls 0.26.4",
 "tokio-stream",
 "tokio-util",
 "tracing",
@@ -2838,7 +2884,7 @@ dependencies = [
 "url",
 "urlencoding",
 "uuid 1.19.0",
- "webpki-roots 0.22.6",
+ "webpki-roots 0.26.11",
 ]

 [[package]]
@@ -4066,7 +4112,7 @@ dependencies = [
 "percent-encoding",
 "pin-project-lite",
 "rustls 0.21.12",
- "rustls-pemfile",
+ "rustls-pemfile 1.0.4",
 "serde",
 "serde_json",
 "serde_urlencoded",
@@ -4233,18 +4279,6 @@ dependencies = [
 "windows-sys 0.61.2",
 ]

-[[package]]
-name = "rustls"
-version = "0.20.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1b80e3dec595989ea8510028f30c408a4630db12c9cbb8de34203b89d6577e99"
-dependencies = [
- "log",
- "ring 0.16.20",
- "sct",
- "webpki",
-]
-
 [[package]]
 name = "rustls"
 version = "0.21.12"
@@ -4263,6 +4297,7 @@ version = "0.23.35"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "533f54bc6a7d4f647e46ad909549eda97bf5afc1585190ef692b4286b198bd8f"
 dependencies = [
+ "aws-lc-rs",
 "log",
 "once_cell",
 "ring 0.17.14",
@@ -4293,6 +4328,15 @@ dependencies = [
 "base64 0.21.7",
 ]

+[[package]]
+name = "rustls-pemfile"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
+dependencies = [
+ "rustls-pki-types",
+]
+
 [[package]]
 name = "rustls-pki-types"
 version = "1.13.2"
@@ -4329,6 +4373,7 @@ version = "0.103.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2ffdfa2f5286e2247234e03f680868ac2815974dc39e00ea15adc445d0aafe52"
 dependencies = [
+ "aws-lc-rs",
 "ring 0.17.14",
 "rustls-pki-types",
 "untrusted 0.9.0",
@@ -5297,17 +5342,6 @@ dependencies = [
 "syn 2.0.111",
 ]

-[[package]]
-name = "tokio-rustls"
-version = "0.23.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c43ee83903113e03984cb9e5cebe6c04a5116269e900e3ddba8f068a62adda59"
-dependencies = [
- "rustls 0.20.9",
- "tokio",
- "webpki",
-]
-
 [[package]]
 name = "tokio-rustls"
 version = "0.24.1"
@@ -5880,25 +5914,6 @@ dependencies = [
 "wasm-bindgen",
 ]

-[[package]]
-name = "webpki"
-version = "0.22.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed63aea5ce73d0ff405984102c42de94fc55a6b75765d621c65262469b3c9b53"
-dependencies = [
- "ring 0.17.14",
- "untrusted 0.9.0",
-]
-
-[[package]]
-name = "webpki-roots"
-version = "0.22.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b6c71e40d7d2c34a5106301fb632274ca37242cd0c9d3e64dbece371a40a2d87"
-dependencies = [
- "webpki",
-]
-
 [[package]]
 name = "webpki-roots"
 version = "0.23.1"