Bump Rustls to 0.20 for v4.0.0 release

[edward-shen]

Hey actix team!

Rustls is near approaching a 0.20 release (with two betas already released), which has significant breaking changes. Since actix is also close to releasing a major version release as well, I thought It was worth requesting if actix can update its dependency for Rustls to 0.20 before the 4.0.0 release is made.

As for reasons why actix should consider using Rustls 0.20 to begin with:

• Obligatory mention of "standard best practice" to keep security libraries up to date in general.
• If Re-export rustls when feature is enabled #2054 is implemented for v4 (which appears to be on the roadmap), then updating Rustls to 0.20 after a 4.0.0 release is cut would require a major version increment as the API changes are not backwards compatible.
• No major breaking changes are envisioned after the 0.20 release, so updating this dependency before 4.0.0 is released is perfect timing.
• There's an huge performance benefit for actix-web servers using runtime-selected certificates that removes a clone operation on a cert chain for every TLS connection, which I've personally run into. Unfortunately, without an dependency update to 0.20, this isn't resolvable by an end user from my investigation.

I'd be happy to try and create a PR for this as well since I'm advocating for this change, if the actix team deems this a good idea but does not have the time to implement it.

Thanks for your consideration.

[edward-shen]

I did a quick investigation on whether or not it was an easy increment or not:

• Looks like there's 4 usages of rustls in actix-web, awc, actix-test, and actix-http.
• All seem to work fine with a version bump, except actix-test; this issue propagates upward to testing actix-web (cargo c --all-features works well, cargo t --all-features does not)
• actix-test has a dependency on actix-http, and while actix-http is fine with a version bump, actix-test hits a path that instead uses actix-tls, which indirectly depends on Rustls. (Should an issue be filed in the actix-net repo?)
• actix-tls seem to depend on tokio-rustls, which itself has a PR for moving towards 0.20 Rustls: [DRAFT] update tokio-rustls to rustls 0.20.x tokio-rs/tls#64 as well as an active collaborator fork working on 0.20, quininer/tls.

So actionables/a timeline for implementing this feature would probably be:

• (Wait for Rustls 0.20 to release or accept a beta version)
• Bump direct Rustls dependencies in actix-web, awc, actix-test, and actix-http.
• Push or wait for tokio-rustls to use Rustls 0.20.
• Bump actix-http to use a new tokio-rustls version that uses Rustls 0.20.
• Resolve any API changes that bubble up.

[edward-shen]

Update: As of a few hours ago, Rustls 0.20 has been released.

The work on migrating tokio-rustls to use 0.20 is still on going, but it looks like there's active movement towards that.

At this point in time, work could probably be started. Not sure if the team wants to do it, if I should work on it, or if we should wait for tokio-rustls to support 0.20 before starting work. Opinions?

[edward-shen]

Heads up: I've started a PR to orchestrate work on this.