Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FreeBSD CI failure possibly caused by rustls-platform-verifier #3908

Closed
rami3l opened this issue Jun 25, 2024 · 6 comments
Closed

FreeBSD CI failure possibly caused by rustls-platform-verifier #3908

rami3l opened this issue Jun 25, 2024 · 6 comments
Labels
bug not-rustup Whatever is described in this issue isn't Rustup's fault
Milestone

Comments

@rami3l
Copy link
Member

rami3l commented Jun 25, 2024

@djc Unfortunately, #3903 has seemingly broken our FreeBSD CI:

error: could not download file from 'https://static.rust-lang.org/rustup/release-stable.toml' to '/tmp/rustup-update68roIr/release-stable.toml': failed to make network request: error sending request for url (https://static.rust-lang.org/rustup/release-stable.toml): client error (Connect): received fatal alert: DecodeError

I have completely no idea why that is the case. Doesn't look like a network problem either: a few minutes ago there was another FreeBSD test and it passed; a few minutes later there was a third FreeBSD test and it failed.

I'm not sure what this DecodeError is. Could it be X.509-related?

@rami3l rami3l added the bug label Jun 25, 2024
@rami3l rami3l added this to the 1.28.0 milestone Jun 25, 2024
@rami3l
Copy link
Member Author

rami3l commented Jun 25, 2024

I guess that would be because of rustls/rustls-native-certs#28. Apparently somehow we were previously pulling in webpki-roots (perhaps in addition rustls-native-certs)?

Originally posted by @djc in #3903 (comment)

@rami3l
Copy link
Member Author

rami3l commented Jun 26, 2024

I guess that would be because of rustls/rustls-native-certs#28. Apparently somehow we were previously pulling in webpki-roots (perhaps in addition rustls-native-certs)?

@djc In #3903 rustls-native-certs and webpki-roots were introduced as dependencies of rustls-platform-verifier. The former used to be a dependency of reqwest (this is no longer the case), but the latter is completely new.

@djc
Copy link
Contributor

djc commented Jun 26, 2024

Right, that's a pretty limited dependency:

[target.'cfg(target_arch = "wasm32")'.dependencies]
webpki-roots = "0.26"

# BSD targets require webpki-roots for the real-world verification tests.
[target.'cfg(target_os = "freebsd")'.dev-dependencies]
webpki-roots = "0.26"

But my point was, before #3903 we were using reqwest/rustls-tls-native-roots which should also have been using rustls-native-certs on FreeBSD -- so I'm confused why this only started to fail now.

@rami3l
Copy link
Member Author

rami3l commented Jun 26, 2024

@djc I see what you mean now. This is very weird...

Before (d85502c):

> cargo tree -i webpki-roots --target=x86_64-unknown-freebsd
error: package ID specification `webpki-roots` did not match any packages

> cargo tree -i rustls-native-certs --target=x86_64-unknown-freebsd
rustls-native-certs v0.7.0
└── reqwest v0.12.4
    └── download v1.27.1
        └── rustup v1.27.1

After (f48df22):

> cargo tree -i webpki-roots --target=x86_64-unknown-freebsd
warning: nothing to print.

> cargo tree -i rustls-native-certs --target=x86_64-unknown-freebsd
rustls-native-certs v0.7.0
└── rustls-platform-verifier v0.3.1
    └── download v1.27.1
        └── rustup v1.27.1

Could it be that these two dependencies (reqwest and rustls-platform-verifier) are using rustls-native-certs slightly differently?

@rami3l
Copy link
Member Author

rami3l commented Jun 26, 2024

Indeed, both are using the following snippet, but rustls-platform-verifier is using it under a guard only, and that guard is disabled on FreeBSD.

#[cfg(feature = "rustls-tls-native-roots")]
[..]
for cert in rustls_native_certs::load_native_certs()

https://github.com/seanmonstar/reqwest/blob/c4ebb073438026e09c99469be02fc1f1a254058a/src/async_impl/client.rs#L516-L520

#[cfg(all(target_os = "linux", not(target_arch = "wasm32")))]
match rustls_native_certs::load_native_certs() {

https://github.com/rustls/rustls-platform-verifier/blob/2b3bfbe9789b15748364e5b8c1b7f93848dea26e/rustls-platform-verifier/src/verification/others.rs#L118-L119

@rami3l rami3l added the not-rustup Whatever is described in this issue isn't Rustup's fault label Jun 26, 2024
@rami3l
Copy link
Member Author

rami3l commented Jun 26, 2024

As the upstream issue has been resolved in rustls/rustls-platform-verifier#105, there's no point tracking it here for any longer (the problem will definitely go away before the next release since there will be at least some dep version bumps before then).

@rami3l rami3l closed this as completed Jun 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug not-rustup Whatever is described in this issue isn't Rustup's fault
Projects
None yet
Development

No branches or pull requests

2 participants