chore(tls): Remove ring as rustls crypto backend
#4029
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sfleen
force-pushed
the
sfleen/no-ring
branch
3 times, most recently
from
35575bf to
4c7a8ba
Compare
cratelyn
reviewed
Aug 4, 2025
cratelyn
reviewed
Aug 5, 2025
cratelyn
reviewed
Aug 5, 2025
cratelyn
reviewed
Aug 5, 2025
cratelyn
reviewed
Aug 5, 2025
cratelyn
reviewed
Aug 5, 2025
olix0r
requested changes
Aug 5, 2025
There was a problem hiding this comment.
This PR description is a little misleading: it does more than remove ring, it changes the default crypto backend. This is probably: chore(meshtls-rustls): use aws-lc as the default crypto backend (not a user-facing feature... etc)
To that end, is it difficult to split this PR into two discrete steps:
- Enable aws-lc by default
- Remove ring
In general this would be a preferable path. I can see how that might make for some intermediate complexity, though; so this is just a question...
sfleen
changed the title
|
It's not as bad as I originally thought to split out the default change to aws-lc-rs from the removal of ring, I've done the default change in #4043 and I'll update this to be purely a removal of ring (that we can decide to defer to late if need be). |
sfleen
changed the title
ring as rustls crypto backend
olix0r
pushed a commit
that referenced
this pull request
Aug 5, 2025
The broader ecosystem has mostly moved to `aws-lc-rs` as the primary `rustls` backend, and we should follow suit. This will also simplify the maintenance of the proxy's TLS implementation in the long term. This requires some extra configuration for successful cross-compilation, ideally we can remove this extra configuration once linkerd/dev v48 is available. This doesn't remove `ring` as a crypto backend, that can come in a follow-up at #4029
sfleen
force-pushed
the
sfleen/no-ring
branch
2 times, most recently
from
8083851 to
d160678
Compare
The broader ecosystem has mostly moved to aws-lc-rs as the primary rustls backend, and we should follow suit. This will also simplify the maintenance of the proxy's TLS implementation in the long term. There will need to be some refactoring to clean up the rustls provider interfaces, but that will come in follow-ups. Signed-off-by: Scott Fleener <[email protected]>
olix0r
reviewed
Aug 13, 2025
Signed-off-by: Scott Fleener <[email protected]>
Signed-off-by: Scott Fleener <[email protected]>
olix0r
approved these changes
Aug 13, 2025
|
🎉 so excited to see this land! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The broader ecosystem has mostly moved to aws-lc-rs as the primary rustls backend, and we should follow suit. This will also simplify the maintenance of the proxy's TLS implementation in the long term.
Child to #4043, which changed the default backend to
aws-lc-rs.There will need to be some refactoring to clean up the rustls provider interfaces, but that will come in follow-ups.