Cargo: update to rustls 0.22

This commit updates to rustls 0.22, taking the following associated
updates:
* rustls 0.22.0-alpha-6 -> 0.22
* pki-types 0.2 -> 1
* tokio-rustls 0.25.0-alpha.4 -> 0.25
* rustls-native-certs 0.7.0-alpha.3 -> 0.7
* webpki-roots 0.26.0-alpha.2 -> 0.26
* rustls-pemfile 2.0.0-alpha.2 -> 2

Breaking API changes are addressed as required. Notably, the builder fns
that accept a custom provider and use the safe defaults are now fallible
to account for a possible error if the provider's configuration is not
compatible with the default safe protocol versions.

Author: cpu

Cargo.toml

@@ -14,18 +14,18 @@ documentation = "https://docs.rs/hyper-rustls/"
 http = "0.2"
 hyper = { version = "0.14", default-features = false, features = ["client"] }
 log = { version = "0.4.4", optional = true }
-pki-types = { package = "rustls-pki-types", version = "0.2" }
-rustls-native-certs = { version = "=0.7.0-alpha.3", optional = true }
-rustls = { version = "=0.22.0-alpha.6", default-features = false }
+pki-types = { package = "rustls-pki-types", version = "1" }
+rustls-native-certs = { version = "0.7", optional = true }
+rustls = { version = "0.22", default-features = false }
 tokio = "1.0"
-tokio-rustls = { version = "=0.25.0-alpha.4", default-features = false }
-webpki-roots = { version = "=0.26.0-alpha.2", optional = true }
+tokio-rustls = { version = "0.25", default-features = false }
+webpki-roots = { version = "0.26", optional = true }
 futures-util = { version = "0.3", default-features = false }
 
 [dev-dependencies]
 hyper = { version = "0.14", features = ["full"] }
-rustls = { version = "=0.22.0-alpha.6", default-features = false, features = ["tls12"] }
-rustls-pemfile = "=2.0.0-alpha.2"
+rustls = { version = "0.22", default-features = false, features = ["tls12"] }
+rustls-pemfile = "2"
 tokio = { version = "1.0", features = ["io-std", "macros", "net", "rt-multi-thread"] }
 
 [features]

examples/client.rs

@@ -52,13 +52,11 @@ async fn run_client() -> io::Result<()> {
             roots.add_parsable_certificates(certs);
             // TLS client config using the custom CA store for lookups
             rustls::ClientConfig::builder()
-                .with_safe_defaults()
                 .with_root_certificates(roots)
                 .with_no_client_auth()
         }
         // Default TLS client config with native roots
         None => rustls::ClientConfig::builder()
-            .with_safe_defaults()
             .with_native_roots()?
             .with_no_client_auth(),
     };

src/acceptor/builder.rs

@@ -22,9 +22,9 @@ impl AcceptorBuilder<WantsTlsConfig> {
         AcceptorBuilder(WantsAlpn(config))
     }
 
-    /// Use rustls [defaults][with_safe_defaults] without [client authentication][with_no_client_auth]
+    /// Use rustls default crypto provider and safe defaults without
+    /// [client authentication][with_no_client_auth]
     ///
-    /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults
     /// [with_no_client_auth]: rustls::ConfigBuilder::with_no_client_auth
     pub fn with_single_cert(
         self,
@@ -33,7 +33,6 @@ impl AcceptorBuilder<WantsTlsConfig> {
     ) -> Result<AcceptorBuilder<WantsAlpn>, rustls::Error> {
         Ok(AcceptorBuilder(WantsAlpn(
             ServerConfig::builder()
-                .with_safe_defaults()
                 .with_no_client_auth()
                 .with_single_cert(cert_chain, key_der)?,
         )))

src/connector/builder.rs

@@ -52,74 +52,64 @@ impl ConnectorBuilder<WantsTlsConfig> {
         ConnectorBuilder(WantsSchemes { tls_config: config })
     }
 
-    /// Shorthand for using rustls' [safe defaults][with_safe_defaults]
-    /// and native roots
+    /// Shorthand for using rustls' default crypto provider and safe defaults, with
+    /// native roots.
     ///
     /// See [`ConfigBuilderExt::with_native_roots`]
-    ///
-    /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults
     #[cfg(all(feature = "ring", feature = "rustls-native-certs"))]
     pub fn with_native_roots(self) -> std::io::Result<ConnectorBuilder<WantsSchemes>> {
         Ok(self.with_tls_config(
             ClientConfig::builder()
-                .with_safe_defaults()
                 .with_native_roots()?
                 .with_no_client_auth(),
         ))
     }
 
-    /// Shorthand for using rustls' [safe defaults][with_safe_defaults]
-    /// with a custom [`CryptoProvider`] and native roots
+    /// Shorthand for using a custom [`CryptoProvider`] and native roots
     ///
     /// See [`ConfigBuilderExt::with_native_roots`]
-    ///
-    /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults
     #[cfg(feature = "rustls-native-certs")]
     pub fn with_provider_and_native_roots(
         self,
-        provider: &'static dyn CryptoProvider,
+        provider: CryptoProvider,
     ) -> std::io::Result<ConnectorBuilder<WantsSchemes>> {
         Ok(self.with_tls_config(
-            ClientConfig::builder_with_provider(provider)
-                .with_safe_defaults()
+            ClientConfig::builder_with_provider(provider.into())
+                .with_safe_default_protocol_versions()
+                .map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, e))?
                 .with_native_roots()?
                 .with_no_client_auth(),
         ))
     }
 
-    /// Shorthand for using rustls' [safe defaults][with_safe_defaults]
-    /// and Mozilla roots
+    /// Shorthand for using rustls' default crypto provider and its
+    /// safe defaults.
     ///
     /// See [`ConfigBuilderExt::with_webpki_roots`]
-    ///
-    /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults
     #[cfg(all(feature = "ring", feature = "webpki-roots"))]
     pub fn with_webpki_roots(self) -> ConnectorBuilder<WantsSchemes> {
         self.with_tls_config(
             ClientConfig::builder()
-                .with_safe_defaults()
                 .with_webpki_roots()
                 .with_no_client_auth(),
         )
     }
 
-    /// Shorthand for using rustls' [safe defaults][with_safe_defaults]
-    /// with a custom [`CryptoProvider`] and Mozilla roots
+    /// Shorthand for using a custom [`CryptoProvider`], Rustls' safe default
+    /// protocol versions and Mozilla roots
     ///
     /// See [`ConfigBuilderExt::with_webpki_roots`]
-    ///
-    /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults
     #[cfg(feature = "webpki-roots")]
     pub fn with_provider_and_webpki_roots(
         self,
-        provider: &'static dyn CryptoProvider,
-    ) -> ConnectorBuilder<WantsSchemes> {
-        self.with_tls_config(
-            ClientConfig::builder_with_provider(provider)
-                .with_safe_defaults()
+        provider: CryptoProvider,
+    ) -> Result<ConnectorBuilder<WantsSchemes>, rustls::Error> {
+        Ok(self.with_tls_config(
+            ClientConfig::builder_with_provider(provider.into())
+                .with_safe_default_protocol_versions()?
                 .with_webpki_roots()
                 .with_no_client_auth(),
-        )
+        ))
     }
 }
 
@@ -331,7 +321,6 @@ mod tests {
     fn test_reject_predefined_alpn() {
         let roots = rustls::RootCertStore::empty();
         let mut config_with_alpn = rustls::ClientConfig::builder()
-            .with_safe_defaults()
             .with_root_certificates(roots)
             .with_no_client_auth();
         config_with_alpn.alpn_protocols = vec![b"fancyprotocol".to_vec()];
@@ -347,7 +336,6 @@ mod tests {
     fn test_alpn() {
         let roots = rustls::RootCertStore::empty();
         let tls_config = rustls::ClientConfig::builder()
-            .with_safe_defaults()
             .with_root_certificates(roots)
             .with_no_client_auth();
         let connector = super::ConnectorBuilder::new()