feature-gate direct TLS mode to make rustls/aws-lc-rs optional

Signed-off-by: strawberry <strawberry@puppygock.gay>
2025-07-07 20:46:24 +02:00 · 2024-10-10 16:23:38 -04:00 · 2024-10-10 16:23:38 -04:00 · aa6f6c1bfa
commit aa6f6c1bfa
parent 127fb1a37b
7 changed files with 23 additions and 5 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -705,7 +705,6 @@ dependencies = [
 "reqwest",
 "ring",
 "ruma",
 "rustls 0.23.14",
 "sanitize-filename",
 "serde",
 "serde_json",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -101,7 +101,6 @@ features = ["typed-header", "tracing"]
 [workspace.dependencies.axum-server]
 version = "0.7.1"
 default-features = false
 features = ["tls-rustls"]
 # to listen on both HTTP and HTTPS if listening on TLS dierctly from conduwuit for complement or sytest
 [workspace.dependencies.axum-server-dual-protocol]
--- a/src/core/Cargo.toml
+++ b/src/core/Cargo.toml
@ -80,7 +80,6 @@ regex.workspace = true
 reqwest.workspace = true
 ring.workspace = true
 ruma.workspace = true
 rustls.workspace = true
 sanitize-filename.workspace = true
 serde_json.workspace = true
 serde_regex.workspace = true
--- a/src/main/Cargo.toml
+++ b/src/main/Cargo.toml
@ -66,6 +66,9 @@ console = [
 #	"conduit-router/dev_release_log_level",
 #	"conduit-service/dev_release_log_level",
 #]
 direct_tls = [
    "conduit-router/direct_tls"
 ]
 element_hacks = [
 	"conduit-api/element_hacks",
 	"conduit-service/element_hacks",
--- a/src/router/Cargo.toml
+++ b/src/router/Cargo.toml
@ -42,9 +42,16 @@ systemd = [
 	"dep:sd-notify",
 ]
 direct_tls = [
    "axum-server/tls-rustls",
    "dep:rustls",
    "dep:axum-server-dual-protocol",
 ]
 [dependencies]
 axum-client-ip.workspace = true
 axum-server-dual-protocol.workspace = true
 axum-server-dual-protocol.optional = true
 axum-server.workspace = true
 axum.workspace = true
 conduit-admin.workspace = true
@ -63,6 +70,7 @@ hyper.workspace = true
 hyper-util.workspace = true
 ruma.workspace = true
 rustls.workspace = true
 rustls.optional = true
 sentry.optional = true
 sentry-tower.optional = true
 sentry-tower.workspace = true
--- a/src/router/serve/mod.rs
+++ b/src/router/serve/mod.rs
@ -1,4 +1,5 @@
 mod plain;
 #[cfg(feature = "direct_tls")]
 mod tls;
 mod unix;
@ -23,7 +24,14 @@ pub(super) async fn serve(
 	if cfg!(unix) && config.unix_socket_path.is_some() {
 		unix::serve(server, app, shutdown).await
 	} else if config.tls.is_some() {
-		tls::serve(server, app, handle, addrs).await
+		#[cfg(feature = "direct_tls")]
 		return tls::serve(server, app, handle, addrs).await;
 		#[cfg(not(feature = "direct_tls"))]
 		return conduit::Err!(Config(
 			"tls",
 			"conduwuit was not built with direct TLS support (\"direct_tls\")"
 		));
 	} else {
 		plain::serve(server, app, handle, addrs).await
 	}
--- a/src/router/serve/tls.rs
+++ b/src/router/serve/tls.rs
@ -20,7 +20,9 @@ pub(super) async fn serve(
 	// we use ring for ruma and hashing state, but aws-lc-rs is the new default.
 	// without this, TLS mode will panic.
-	_ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+	rustls::crypto::aws_lc_rs::default_provider()
 		.install_default()
 		.expect("failed to initialise aws-lc-rs rustls crypto provider");
 	debug!("Using direct TLS. Certificate path {certs} and certificate private key path {key}",);
 	info!(