refactor!: consolidate rustls forks via [patch.crates-io]

[ibigbug]

Breaking Change

Removes watfaq-rustls and tokio-watfaq-rustls git dependencies in favour of patching crates-io rustls and tokio-rustls with the Watfaq forks via [patch.crates-io].

This means there is now a single rustls instance in the binary — no more duplicate global crypto provider state.

Changes

• Add [patch.crates-io] for rustls → Watfaq/rustls@watfaq/0.23.40
• Add [patch.crates-io] for tokio-rustls → Watfaq/tokio-rustls@watfaq/0.26.4
• Replace all watfaq_rustls:: / tokio_watfaq_rustls:: imports with rustls:: / tokio_rustls::
• Remove duplicate crypto provider install_default() call in lib.rs (no longer two separate rustls copies)
• Restore watfaq-dns/aws-lc-rs and watfaq-dns/ring feature forwards accidentally dropped in previous commit

Fork branches

Both fork branches are clean — created directly from the upstream release tag with only the custom patches applied (0 commits behind, minimal ahead):

Fork	Branch	Custom changes
Watfaq/rustls	watfaq/0.23.40	Reality protocol + new_with_session_id_generator
Watfaq/tokio-rustls	watfaq/0.26.4	connect_with_session_id_generator for Shadow-TLS V3

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: d678020c-6476-4cd6-a022-e984cb8581ac

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Cargo overrides for rustls/tokio-rustls are added; clash-lib feature flags are adjusted. Code switches TLS types and connectors from watfaq_rustls/tokio_watfaq_rustls to rustls/tokio_rustls, updates root-store sourcing, and narrows the ring crypto-provider installation.

Changes

TLS migration and Cargo overrides

Layer / File(s)	Summary
Cargo patch overrides Cargo.toml	Adds [patch.crates-io] entries to source rustls and tokio-rustls from specific Git branches.
Feature flag wiring clash-lib/Cargo.toml	Replaces watfaq-rustls/aws-lc-rs and watfaq-rustls/ring with watfaq-dns/aws-lc-rs and watfaq-dns/ring in features lists.
shadow-tls pins clash-lib/Cargo.toml	Updates git rev pins for tokio-watfaq-rustls and watfaq-rustls in the shadow-tls dependency section.
Crypto provider install clash-lib/src/lib.rs	Under #[cfg(all(feature = "ring", not(feature = "aws-lc-rs")))] only rustls::crypto::ring::default_provider() is installed.
Shadow TLS connector & root-store clash-lib/src/proxy/transport/shadow_tls/mod.rs	Switches to tokio_rustls/rustls types, builds ServerName with rustls::pki_types::ServerName, uses connect_with_session_id_generator, and loads roots from GLOBAL_ROOT_STORE.
Reality transport imports clash-lib/src/proxy/transport/reality.rs	Imports replaced to use rustls/tokio_rustls types for TLS connection construction.
Splice TLS type alias clash-lib/src/proxy/transport/splice_tls.rs	RealityTlsStream alias updated to tokio_rustls::client::TlsStream<AnyStream>.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A small hop from crate to crate,
Rustls now stands at the gate.
Patches set and imports lean,
Roots shared, and code kept clean.
A happy rabbit bakes a crate!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: consolidating rustls forks via the [patch.crates-io] mechanism, which is evident from both the Cargo.toml patch section addition and the systematic replacement of watfaq_rustls with rustls throughout the codebase.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

clash-lib/src/proxy/transport/reality.rs (1)

18-20: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Consider sharing the root store with the rest of the crate.

Now that this file uses the same rustls::RootCertStore as shadow_tls/mod.rs, the local init_roots() + per-Client OnceLock<Arc<RootCertStore>> duplicates what crate::common::tls::GLOBAL_ROOT_STORE already provides. Consolidating would remove DRY drift, save the per-instance allocation, and ensure a single source of truth for trusted roots across TLS transports.

♻️ Sketch

-use rustls::{
-    ClientConfig, RootCertStore, client::RealityConfig, pki_types::ServerName,
-};
+use rustls::{ClientConfig, client::RealityConfig, pki_types::ServerName};
 use tokio_rustls::{TlsConnector, client::TlsStream};

 use std::{
     io,
     ops::Deref,
-    sync::{Arc, OnceLock, atomic::AtomicBool},
+    sync::{Arc, atomic::AtomicBool},
 };

-use crate::proxy::{
-    AnyStream,
-    transport::{Transport, VisionOptions, splice_tls::SplicableTlsStream},
-};
-
-fn init_roots() -> Arc<RootCertStore> {
-    Arc::new(webpki_roots::TLS_SERVER_ROOTS.iter().cloned().collect())
-}
+use crate::{
+    common::tls::GLOBAL_ROOT_STORE,
+    proxy::{
+        AnyStream,
+        transport::{Transport, VisionOptions, splice_tls::SplicableTlsStream},
+    },
+};
@@
-        let tls_config = ClientConfig::builder()
-            .with_root_certificates(self.roots.get_or_init(init_roots).clone())
-            .with_reality(reality)
-            .with_no_client_auth();
+        let tls_config = ClientConfig::builder()
+            .with_root_certificates(GLOBAL_ROOT_STORE.clone())
+            .with_reality(reality)
+            .with_no_client_auth();

The roots: OnceLock<Arc<RootCertStore>> field on ClientInner can then be removed.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@clash-lib/src/proxy/transport/reality.rs` around lines 18 - 20, The local
init_roots() and the per-Client OnceLock<Arc<RootCertStore>> duplicate the
crate-wide ROOT store; replace uses of init_roots() and the ClientInner field
roots: OnceLock<Arc<RootCertStore>> with the shared
crate::common::tls::GLOBAL_ROOT_STORE (clone the Arc where needed), remove the
init_roots() function and the roots field from ClientInner, and update any
client construction or TLS setup code to fetch GLOBAL_ROOT_STORE.clone() so all
transports use the single global RootCertStore.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Cargo.toml`:
- Around line 48-50: The Cargo.toml patch entries for rustls and tokio-rustls
currently use branch= which tracks moving tips; change them to pin specific
commit SHAs by replacing branch = "watfaq/0.23.40" and branch = "watfaq/0.26.4"
with rev = "<commit-sha>" for the corresponding commits in the Watfaq forks
(update both rustls and tokio-rustls entries), ensuring you pick the exact
commit SHAs you want to lock to and run cargo update to refresh Cargo.lock.

---

Outside diff comments:
In `@clash-lib/src/proxy/transport/reality.rs`:
- Around line 18-20: The local init_roots() and the per-Client
OnceLock<Arc<RootCertStore>> duplicate the crate-wide ROOT store; replace uses
of init_roots() and the ClientInner field roots: OnceLock<Arc<RootCertStore>>
with the shared crate::common::tls::GLOBAL_ROOT_STORE (clone the Arc where
needed), remove the init_roots() function and the roots field from ClientInner,
and update any client construction or TLS setup code to fetch
GLOBAL_ROOT_STORE.clone() so all transports use the single global RootCertStore.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 98ea0b6e-9ce7-474e-9176-443226d21da7

📥 Commits

Reviewing files that changed from the base of the PR and between a7f0d45 and 7b81113.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (6)

• Cargo.toml
• clash-lib/Cargo.toml
• clash-lib/src/lib.rs
• clash-lib/src/proxy/transport/reality.rs
• clash-lib/src/proxy/transport/shadow_tls/mod.rs
• clash-lib/src/proxy/transport/splice_tls.rs

💤 Files with no reviewable changes (1)

• clash-lib/src/lib.rs

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "--- Watfaq/rustls @ watfaq/0.23.40 ---"
git ls-remote https://github.com/Watfaq/rustls.git refs/heads/watfaq/0.23.40
echo "--- Watfaq/tokio-rustls @ watfaq/0.26.4 ---"
git ls-remote https://github.com/Watfaq/tokio-rustls.git refs/heads/watfaq/0.26.4

Repository: Watfaq/clash-rs

Length of output: 275

---

🏁 Script executed:

# First, verify the root Cargo.toml has the patch section mentioned
cat -n Cargo.toml | sed -n '45,55p'

Repository: Watfaq/clash-rs

Length of output: 352

---

🏁 Script executed:

# Find and examine clash-lib/Cargo.toml for git dependencies
fd -name "Cargo.toml" -path "*/clash-lib/*"

Repository: Watfaq/clash-rs

Length of output: 290

---

🏁 Script executed:

# Search for all git dependencies in Cargo.toml files to verify the pattern
rg "git = " --type toml -B1 -A1

Repository: Watfaq/clash-rs

Length of output: 3035

---

Pin patched rustls/tokio-rustls to specific commits, not branches.

Using branch = makes cargo update (or a fresh Cargo.lock) silently follow whatever the branch tip becomes, and the branch can be force-pushed or rewritten in the fork. The workspace predominantly pins git dependencies to rev = (e.g. shadowsocks-rust, boring-noise, smoltcp, shadowquic, unix-udp-sock, sock2proc) — patches replacing core TLS crates should follow this pattern.

🔒 Suggested change: pin to commit SHAs

 [patch.crates-io]
-rustls = { git = "https://github.com/Watfaq/rustls.git", branch = "watfaq/0.23.40" }
-tokio-rustls = { git = "https://github.com/Watfaq/tokio-rustls.git", branch = "watfaq/0.26.4" }
+rustls = { git = "https://github.com/Watfaq/rustls.git", rev = "8211697ce28686d72c92c2fc4b440b7ffc9a3ee3" }
+tokio-rustls = { git = "https://github.com/Watfaq/tokio-rustls.git", rev = "b26e3e2b7a0161d505fd12d6e545b16463f1a45f" }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	[patch.crates-io]
	rustls = { git = "https://github.com/Watfaq/rustls.git", branch = "watfaq/0.23.40" }
	tokio-rustls = { git = "https://github.com/Watfaq/tokio-rustls.git", branch = "watfaq/0.26.4" }
	[patch.crates-io]
	rustls = { git = "https://github.com/Watfaq/rustls.git", rev = "8211697ce28686d72c92c2fc4b440b7ffc9a3ee3" }
	tokio-rustls = { git = "https://github.com/Watfaq/tokio-rustls.git", rev = "b26e3e2b7a0161d505fd12d6e545b16463f1a45f" }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Cargo.toml` around lines 48 - 50, The Cargo.toml patch entries for rustls and
tokio-rustls currently use branch= which tracks moving tips; change them to pin
specific commit SHAs by replacing branch = "watfaq/0.23.40" and branch =
"watfaq/0.26.4" with rev = "<commit-sha>" for the corresponding commits in the
Watfaq forks (update both rustls and tokio-rustls entries), ensuring you pick
the exact commit SHAs you want to lock to and run cargo update to refresh
Cargo.lock.

[github-actions]

📊 Proxy Throughput Results

Shadowsocks

Transport	Payload	Runs	Upload Mbps (±σ)	Download Mbps (±σ)
plain	32 MB	3	16322.7 ±1277.4	16338.7 ±131.2
obfs-http	32 MB	3	16001.9 ±1635.9	13749.2 ±1023.1
obfs-tls	32 MB	3	16585.3 ±983.0	12944.7 ±2132.3
shadow-tls-v3	32 MB	3	10091.8 ±2984.8	12217.7 ±2498.1
v2ray-plugin-ws-tls	32 MB	3	16074.7 ±1040.4	14488.6 ±1966.1

Trojan

Transport	Payload	Runs	Upload Mbps (±σ)	Download Mbps (±σ)
tcp	32 MB	3	8430.0 ±6452.2	13349.0 ±2492.5
ws	32 MB	3	14144.1 ±1371.7	12054.7 ±6.8
grpc	32 MB	3	13890.0 ±2158.0	12436.7 ±954.9

VMess

Transport	Payload	Runs	Upload Mbps (±σ)	Download Mbps (±σ)
tcp	32 MB	3	13365.1 ±2924.1	11434.7 ±3045.9
tcp-tls	32 MB	3	16282.5 ±868.4	16558.6 ±2002.9
ws	32 MB	3	15302.2 ±2169.2	15459.5 ±1207.9
h2	32 MB	3	12901.9 ±8201.4	11849.5 ±2856.1
grpc	32 MB	3	17138.1 ±1393.8	16650.7 ±3117.9

VLESS

Transport	Payload	Runs	Upload Mbps (±σ)	Download Mbps (±σ)
tcp	32 MB	3	13666.4 ±1361.0	12578.8 ±2345.8
ws	32 MB	3	13307.3 ±1144.8	11322.7 ±872.1
h2	32 MB	3	14354.8 ±588.9	12892.3 ±1728.9
grpc	32 MB	3	17844.6 ±822.3	16755.8 ±245.0

SOCKS5

Transport	Payload	Runs	Upload Mbps (±σ)	Download Mbps (±σ)
auth	32 MB	3	12928.7 ±1154.0	13388.8 ±772.5
noauth	32 MB	3	10009.1 ±1152.6	9060.8 ±2319.1

AnyTLS

Transport	Payload	Runs	Upload Mbps (±σ)	Download Mbps (±σ)
tls	32 MB	3	9176.9 ±2464.5	9291.0 ±1956.4

Hysteria2

Transport	Payload	Runs	Upload Mbps (±σ)	Download Mbps (±σ)
plain	32 MB	3	14034.2 ±749.6	13276.5 ±376.4
salamander	32 MB	3	1153.7 ±6815.5	12270.9 ±2368.1

TUIC

Transport	Payload	Runs	Upload Mbps (±σ)	Download Mbps (±σ)
bbr	32 MB	3	14843.0 ±8325.3	11256.4 ±1106.0
cubic	32 MB	3	17276.2 ±1569.1	16702.9 ±1872.2
new_reno	32 MB	3	13821.8 ±2063.9	12180.0 ±544.1

ShadowQUIC

Transport	Payload	Runs	Upload Mbps (±σ)	Download Mbps (±σ)
plain	32 MB	3	14584.1 ±2585.8	11478.8 ±1684.1
over-stream	32 MB	3	15917.7 ±831.9	14150.3 ±2019.8

SSH

Transport	Payload	Runs	Upload Mbps (±σ)	Download Mbps (±σ)
password	32 MB	3	10686.7 ±1587.9	14032.0 ±1648.3
ed25519	32 MB	3	10330.4 ±1577.8	7794.9 ±4283.8

Netem Tests (50 ms delay, 1% packet loss)

Shadowsocks

Transport	Payload	Runs	Upload Mbps (±σ)	Download Mbps (±σ)
plain-netem	32 MB	3	17403.8 ±2682.1	14024.8 ±2105.5

Trojan

Transport	Payload	Runs	Upload Mbps (±σ)	Download Mbps (±σ)
tcp-netem	32 MB	3	13488.2 ±1942.9	12310.9 ±46.8

Hysteria2

Transport	Payload	Runs	Upload Mbps (±σ)	Download Mbps (±σ)
plain-netem	32 MB	3	16141.0 ±2123.2	15298.4 ±1289.5

TUIC

Transport	Payload	Runs	Upload Mbps (±σ)	Download Mbps (±σ)
bbr-netem	32 MB	3	11957.7 ±7951.5	16733.1 ±3510.5

ShadowQUIC

Transport	Payload	Runs	Upload Mbps (±σ)	Download Mbps (±σ)
plain-netem	32 MB	3	17164.4 ±1223.4	13648.3 ±1686.4

Ran 34 variant(s) in parallel; each direction transfers the full payload.

🖥️ Test Environment

OS	Linux 6.17.0-1010-azure
Architecture	x86_64
Kernel	6.17.0-1010-azure
CPU	AMD EPYC 7763 64-Core Processor
CPU Cores	4
Memory	15.61 GB
Docker	28.0.4
Rust	rustc 1.95.0 (59807616e 2026-04-14)

📎 View full workflow run and download artifacts

Full test log

Download the throughput-results artifact from the workflow run for the full log.

[codecov]

Codecov Report

❌ Patch coverage is 88.88889% with 1 line in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
clash-lib/src/proxy/transport/shadow_tls/mod.rs	88.88%	0 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!