WIP Switch to Rustls

Author: amesgen

cabal.project

@@ -1 +1,10 @@
 packages: .
+
+source-repository-package
+  type: git
+  location: https://github.com/amesgen/hs-rustls
+  tag: af95cd7d3f79913d2864f46931bbfe339f9c396d
+  --sha256: 0a2drcy9893r06ghh7cpj21lg2n8ma737x0mhqh0spsf3znsd4db
+  subdir: rustls http-client-rustls
+
+constraints: rustls -derive-storable-plugin

flake.lock

@@ -9,14 +9,23 @@
       inputs.flake-utils.follows = "flake-utils";
     };
     flake-utils.url = "github:numtide/flake-utils";
+    nix-rustls = {
+      url = "github:amesgen/hs-rustls?dir=nix-rustls";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-utils.follows = "flake-utils";
+    };
   };
-  outputs = { self, nixpkgs, flake-utils, haskellNix, nur, pre-commit-hooks }:
+  outputs = { self, nixpkgs, flake-utils, haskellNix, nur, pre-commit-hooks, nix-rustls }:
     flake-utils.lib.eachSystem [ "x86_64-linux" ] (system:
       let
         pkgs = import nixpkgs {
           inherit system;
           inherit (haskellNix) config;
-          overlays = [ haskellNix.overlay nur.overlay ];
+          overlays = [
+            haskellNix.overlay
+            nur.overlay
+            nix-rustls.overlays.default
+          ];
         };
         inherit (pkgs) lib;
         hsPkgs = pkgs.haskell-nix.cabalProject {
@@ -53,28 +62,23 @@
               --hie-directory ${hellsmack.components.tests.tasty.hie}
           '';
           pre-commit-check =
-            let ormolu = pkgs.nur.repos.amesgen.ormolu; in
             pre-commit-hooks.lib.${system}.run {
               src = ./.;
               hooks = {
                 nixpkgs-fmt.enable = true;
-                ormolu = {
-                  enable = true;
-                  entry = lib.mkForce "${ormolu}/bin/ormolu -i";
-                };
+                ormolu.enable = true;
                 hlint.enable = true;
               };
               tools = {
-                inherit ormolu;
-                hlint = pkgs.nur.repos.amesgen.hlint;
+                inherit (pkgs.nur.repos.amesgen) ormolu hlint;
               };
             };
         };
         devShells.default = hsPkgs.shellFor {
           tools = { cabal = { }; };
           buildInputs = [ pkgs.nur.repos.amesgen.cabal-docspec ];
           withHoogle = false;
-          exactDeps = true;
+          exactDeps = false;
           inherit (self.checks.${system}.pre-commit-check) shellHook;
         };
 

flake.nix

@@ -41,6 +41,8 @@ library
     , temporary >= 1.3
     , http-types >= 0.12
     , http-client >= 0.7
+    , rustls >= 0.0
+    , http-client-rustls >= 0.0
     , network-uri >= 2.6
     , aeson >= 2.0
     , deriving-aeson >= 0.2.7
@@ -68,11 +70,6 @@ library
     , semigroups >= 0.19
     , optparse-applicative >= 0.16
     , th-env >= 0.1
-  if os(windows)
-    build-depends: http-client-tls >= 0.3
-    cpp-options: -DUSE_HASKELL_TLS
-  else
-    build-depends: http-client-openssl >= 0.3.3
 
   exposed-modules:
       Prelude

hellsmack.cabal

@@ -1,17 +1,23 @@
-{-# LANGUAGE CPP #-}
+module HellSmack.Http (newTLSManager) where
 
-module HellSmack.Http (newTLSManager, Manager) where
+import Network.HTTP.Client qualified as HTTP
+import Network.HTTP.Client.Rustls (rustlsManagerSettings)
+import Rustls qualified
+import UnliftIO.Exception
 
-import Network.HTTP.Client
-#if USE_HASKELL_TLS
-import Network.HTTP.Client.TLS
-#else
-import Network.HTTP.Client.OpenSSL
-#endif
-
-newTLSManager :: MonadIO m => m Manager
-#if USE_HASKELL_TLS
-newTLSManager = newTlsManager
-#else
-newTLSManager = liftIO $ withOpenSSL newOpenSSLManager
-#endif
+newTLSManager :: MonadIO m => m HTTP.Manager
+newTLSManager = liftIO do
+  roots <-
+    fmap (Rustls.ClientRootsInMemory . pure . Rustls.PEMCertificatesStrict) $
+      defaultCertFile `onException` envCertFile
+  clientConfig <- Rustls.buildClientConfig $ Rustls.defaultClientConfigBuilder roots
+  HTTP.newManager $ rustlsManagerSettings clientConfig
+  where
+    defaultCertFile = readFileBS "/etc/ssl/certs/ca-certificates.crt"
+    envCertFile =
+      lookupEnv envKey >>= \case
+        Just file | not (null file) -> readFileBS file
+        _ -> throwString [i|default SSL certs not found, please set $envKey|]
+      where
+        envKey :: String
+        envKey = "SSL_CERT_FILE"