Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement wasi-tls #10089

Open
badeend opened this issue Jan 23, 2025 · 3 comments
Open

Implement wasi-tls #10089

badeend opened this issue Jan 23, 2025 · 3 comments

Comments

@badeend
Copy link
Contributor

badeend commented Jan 23, 2025

wasi-tls has recently been accepted as a phase 1 proposal.

We'd like to start implementing this in wasmtime. There already exists some prior efforts:


My suggestion is to add a new standalone wasi-tls crate:

  • under the /crates folder, similar to the other proposals.
  • that uses the WIT file from this PR
  • that targets WASI v0.2 for the time being. Work on a v0.3 interface can happen in parallel in the future.
  • that is completely experimental and therefore behind a tls flag.
  • uses rustls for its implementation? (up for discussion, see next comment)

Thoughts?


CC @dicej @jsturtevant

@badeend
Copy link
Contributor Author

badeend commented Jan 23, 2025

I did an inventory of the two most popular rust TLS crates to see how suitable they are to implement the draft spec:

rustls:

  • doesn't support post-handshake authentication.
  • supports programmatic client certificate selection, but the callback isn't async.
  • supports programmatic peer certificate verification, but the callback isn't async.

native-tls:

  • does not support TLS1.3 (yet)
  • uses MacOS Secure Transport, which is deprecated and will likely never receive TLS1.3 support.
  • does not support programmatic client certificate selection
  • does not support programmatic peer certificate verification
  • can't inspect the peer's certificate chain, only the leaf cert
  • can't inspect ClientHello nor select server certificate & other configurations based on SNI
  • can't read SNI submitted server name
  • can't read negotiated TLS version
  • can't read negotiated cipher suite
  • can't configure ALPN ids on the server side
  • can't configure cipher suites
  • can't request mid-handshake client certificate on the server side
  • doesn't support post-handshake authentication

From wasmtime's POV, rustls seems an obvious choice:

  • it is already used by wasi-http,
  • it is the most feature complete,
  • allows us to quickly iterate on the WIT definitions. Most additions are simply hooking it up to the corresponding rustls methods.

Despite its shortcomings, from a Standards POV, native-tls has one important leg up:
Instant validation of portability goals against three different industry-standard back-ends (OpenSSL, SChannel, SecureTransport).
AFAIK, most of these shortcomings are of the native-tls crate itself and not of the underlying providers. Case in point: .NET's SSLStream is also built on top of SChannel & OpenSSL, yet does support the desired features.


In the current stage the interface is still simple enough that it doesn't really matter which one we choose. I just wanted to throw it out there before we start sinking too much time into the integration of either option.

@alexcrichton
Copy link
Member

How unreasonable do you think it would be to support both rustls and native-tls? For example via compile-time Cargo features? It seems reasonable to have rustls as the default given its breadth of features but being able to showcase both in the same codebase would be a nice example for others looking to implement the proposal as well.

@badeend
Copy link
Contributor Author

badeend commented Jan 25, 2025

Given the current simplicity of the WASI interface, it should be doable to have both backends. Looking into the future, I can't vouch for how tenable the situation will be.

The current plan is that @jsturtevant will work on the initial implementation. I haven't checked in with him on this specific point yet, but I suspect that we'll start with just a single backend. We could add the secondary backend in a follow-up PR.

@jsturtevant Does this sound about right to you?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants