Refactor TLS API

.github/workflows/ci.yml

@@ -74,11 +74,11 @@ jobs:
           components: clippy
           default: true
 
-      # openssl-sys <0.9.45 relies on a feature in rustc_version >=0.2.2, but
-      # specifies its dependency as "^0.2".
+      # openssl-sys needs to be new enough to be compatible with system OpenSSL
+      # version
       - name: Override openssl-sys version
         run: |
-          printf '[dependencies.openssl-sys]\nversion = "0.9.45"\n' >> Cargo.toml
+          printf '[dependencies.openssl-sys]\nversion = "0.9.77"\n' >> Cargo.toml
 
       - name: Update Cargo.lock
         run: cargo -Z minimal-versions update

Cargo.toml

@@ -19,21 +19,27 @@ features = ["cookies", "json", "nightly"]
 status = "actively-developed"
 
 [features]
-default = ["http2", "native-tls", "static-curl", "text-decoding"]
+default = ["http2", "default-tls", "static-curl", "text-decoding"]
 cookies = ["httpdate"]
 http2 = ["curl/http2"]
 json = ["serde", "serde_json"]
-native-tls = ["curl/ssl", "curl-sys/ssl"]
 nightly = []
+online-tests = []
 psl = ["httpdate", "publicsuffix"]
-rustls-tls = ["curl/rustls", "curl/static-curl"]
-rustls-tls-native-certs = ["rustls-tls", "data-encoding", "rustls-native-certs"]
 spnego = ["curl-sys/spnego"]
 static-curl = ["curl/static-curl"]
-static-ssl = ["curl/static-ssl"]
 text-decoding = ["encoding_rs", "mime"]
 unstable-interceptors = []
 
+# TLS-related features
+tls = []
+tls-insecure = []
+default-tls = ["native-tls", "tls"]
+native-tls = ["tls", "curl/ssl", "curl-sys/ssl"]
+native-tls-static = ["native-tls", "curl/static-ssl", "curl-sys/static-ssl"]
+rustls-tls = ["static-curl", "tls", "curl/rustls"]
+rustls-tls-native-certs = ["rustls-tls", "data-encoding", "rustls-native-certs"]
+
 [dependencies]
 async-channel = "1.7" # channel used for internal communication
 castaway = "0.2" # buffer type specialization
@@ -50,12 +56,12 @@ waker-fn = "1" # async primitive
 
 # underlying HTTP engine that powers Isahc
 [dependencies.curl]
-version = "0.4.43"
+version = "0.4.44"
 default-features = false
 
 # access to certain curl APIs not exposed in safe wrapper
 [dependencies.curl-sys]
-version = "0.4.55"
+version = "0.4.56"
 default-features = false
 
 # used in TLS cert parsing
@@ -132,6 +138,10 @@ serde_json = "1"
 [dev-dependencies.testserver]
 path = "testserver"
 
+[[example]]
+name = "badssl"
+required-features = ["tls-insecure"]
+
 [[example]]
 name = "cookies"
 required-features = ["cookies"]

README.md

@@ -136,7 +136,6 @@ The Isahc logo and related assets are licensed under a [Creative Commons Attribu
 [multi interface]: https://curl.haxx.se/libcurl/c/libcurl-multi.html
 [rfc4559]: https://tools.ietf.org/html/rfc4559
 [rust]: https://www.rustlang.org
-[rustls]: https://github.com/ctz/rustls
 [serde]: https://serde.rs
 [Surf]: https://github.com/http-rs/surf
 [ureq]: https://github.com/algesten/ureq

examples/badssl.rs

@@ -1,36 +1,55 @@
 //! This example contains a number of manual tests against badssl.com
 //! demonstrating several dangerous SSL/TLS options.
 
-use isahc::{config::SslOption, prelude::*, Request};
+use isahc::{error::ErrorKind, prelude::*, tls::TlsConfig, Request};
 
 fn main() {
+    println!("ssl: {:?}", curl::Version::get().ssl_version());
+
     // accept expired cert
     Request::get("https://expired.badssl.com")
-        .ssl_options(SslOption::DANGER_ACCEPT_INVALID_CERTS)
+        .tls_config(
+            TlsConfig::builder()
+                .danger_accept_invalid_certs(true)
+                .build(),
+        )
         .body(())
         .unwrap()
         .send()
         .expect("cert should have been accepted");
 
     // accepting invalid certs alone does not allow invalid hosts
-    Request::get("https://wrong.host.badssl.com")
-        .ssl_options(SslOption::DANGER_ACCEPT_INVALID_CERTS)
+    let error = Request::get("https://wrong.host.badssl.com")
+        .tls_config(
+            TlsConfig::builder()
+                .danger_accept_invalid_certs(true)
+                .build(),
+        )
         .body(())
         .unwrap()
         .send()
         .expect_err("cert should have been rejected");
+    assert_eq!(error, ErrorKind::BadServerCertificate);
 
     // accept cert with wrong host
     Request::get("https://wrong.host.badssl.com")
-        .ssl_options(SslOption::DANGER_ACCEPT_INVALID_HOSTS)
+        .tls_config(
+            TlsConfig::builder()
+                .danger_accept_invalid_hosts(true)
+                .build(),
+        )
         .body(())
         .unwrap()
         .send()
         .expect("cert should have been accepted");
 
     // accepting certs with wrong host alone does not allow invalid certs
     Request::get("https://expired.badssl.com")
-        .ssl_options(SslOption::DANGER_ACCEPT_INVALID_HOSTS)
+        .tls_config(
+            TlsConfig::builder()
+                .danger_accept_invalid_hosts(true)
+                .build(),
+        )
         .body(())
         .unwrap()
         .send()

src/auth.rs

@@ -1,6 +1,6 @@
 //! Types for working with HTTP authentication methods.
 
-use crate::config::{proxy::Proxy, request::SetOpt};
+use crate::config::{proxy::SetOptProxy, request::SetOpt};
 use std::{
     fmt,
     ops::{BitOr, BitOrAssign},
@@ -31,10 +31,10 @@ impl SetOpt for Credentials {
     }
 }
 
-impl SetOpt for Proxy<Credentials> {
-    fn set_opt<H>(&self, easy: &mut curl::easy::Easy2<H>) -> Result<(), curl::Error> {
-        easy.proxy_username(&self.0.username)?;
-        easy.proxy_password(&self.0.password)
+impl SetOptProxy for Credentials {
+    fn set_opt_proxy<H>(&self, easy: &mut curl::easy::Easy2<H>) -> Result<(), curl::Error> {
+        easy.proxy_username(&self.username)?;
+        easy.proxy_password(&self.password)
     }
 }
 
@@ -173,19 +173,19 @@ impl SetOpt for Authentication {
     }
 }
 
-impl SetOpt for Proxy<Authentication> {
-    fn set_opt<H>(&self, easy: &mut curl::easy::Easy2<H>) -> Result<(), curl::Error> {
+impl SetOptProxy for Authentication {
+    fn set_opt_proxy<H>(&self, easy: &mut curl::easy::Easy2<H>) -> Result<(), curl::Error> {
         #[cfg(feature = "spnego")]
         {
-            if self.0.contains(Authentication::negotiate()) {
+            if self.contains(Authentication::negotiate()) {
                 // Ensure auth engine is enabled, even though credentials do not
                 // need to be specified.
                 easy.proxy_username("")?;
                 easy.proxy_password("")?;
             }
         }
 
-        easy.proxy_auth(&self.0.as_auth())
+        easy.proxy_auth(&self.as_auth())
     }
 }