Provide a way to use openssl instead of rustls

[erfanium]

I have problem with sending https requests to https://api.kavenegar.com/v1, rustls throws this error:

Uncaught Http: error sending request for url (https://api.kavenegar.com/v1): error trying to connect: Connection reset by peer (os error 104)

Unfortunately, their decision criteria is not ‍‍rustls and they have no plans to change.
So, It would be nice to have a solution that we can use openssl instead of rustls (like a flag ...)

related to: #6197

[lucacasonato]

Unfortunately, their decision criteria is not ‍‍rustls and they have no plans to change.

Whose decision criteria? Who is they? What should be changed? I assume this site just uses some outdated or obsolete TLS configuration which rustls does not support.

[erfanium]

@lucacasonato

Who is they?

kavenegar.com team

What should be changed?

Their certificate to work with rustls.

I assume this site just uses some outdated or obsolete TLS configuration which rustls does not support.

Because there's no problem with major ssl/tls libraries like openssl and golang/tls, They told me the problem is with your client, not us.

Unfortunately, I don't know why rustls has a problem with api.kavenegar.com, but when I manually use default openssl feature with reqwest client, There is no problem anymore.

You can reproduce this problem with this code:

fetch("https://api.kavenegar.com/v1").then(console.log) // expect `404 not found` error but throws 104 os error

[lucacasonato]

@erfanium If openssl, Chrome, and Firefox work with this site, maybe the issue is in rustls. Maybe opening an issue there to see what is going on would help.

[erfanium]

@lucacasonato I will definitely do that, But it might not be bad for Deno to support both rustls and openssl, because reqwest support them as well, It's very easy to add this feature

[lucacasonato]

Its not actually very easy - we use rustls extensively outside of reqwest. e.g Deno.connectTls(), Deno.listenTls(), the WebSocket API. Also we have rustls specific code everywhere we use certificates. Also, adding a feature flag for openssl would double the time tests need to run, because all tests need to work in rustls and openssl.

[erfanium]

@lucacasonato
Unfortunately rustls has poor support for semi-old protocols (Compared to similar ones): https://github.com/ctz/rustls#non-features. What's Deno's view on this issue? Does Deno ever have a plan to support these?

[lucacasonato]

There is a reason they do not support these protocols. From rustls readme:

The following things are broken, obsolete, badly designed, underspecified, dangerous and/or insane.

I think it is a good idea to not support broken security protocols. People should just update their servers to support more secure protocols. We collectively managed to do this with TLS1.0 and TLS1.1, so we should be capable of doing this with other features too.

[kitsonk]

I also agree that we should not be keen on supporting broken, obsolete, badly designed, underspecified, dangerous and/or insane security protocols. Thanks for raising the issue, but I am going to close it, as it would be challenging to allow replacement of rustls and generally unaligned to some of the Deno objectives. Based on that I am going to close for now.