refactor: Use native-tls as default (#16199)

* refactor: Use native-tls as default

Signed-off-by: Xuanwo <github@xuanwo.io>

* fix: use vendored openssl

* fix: feature native-tls-tls for mysql_async

* feat: use openssl-tls for poem

* fix: lint

* chore: disable client cert support

---------

Signed-off-by: Xuanwo <github@xuanwo.io>
Co-authored-by: everpcpc <git@everpcpc.com>

Author: Xuanwo

Cargo.lock

@@ -255,7 +255,7 @@ itertools = "0.10.5"
 jsonb = "0.4.1"
 jwt-simple = "0.11.0"
 match-template = "0.0.1"
-mysql_async = { version = "0.34", default-features = false, features = ["rustls-tls"] }
+mysql_async = { version = "0.34", default-features = false, features = ["native-tls-tls"] }
 object_store_opendal = "0.45"
 once_cell = "1.15.0"
 openai_api_rust = "0.1"
@@ -288,7 +288,8 @@ ordq = "0.2.0"
 parking_lot = "0.12.1"
 parquet = { version = "52", features = ["async"] }
 paste = "1.0.15"
-poem = { version = "3.0", features = ["rustls", "multipart", "compression"] }
+# TODO: let's use native tls instead.
+poem = { version = "3.0", features = ["openssl-tls", "multipart", "compression"] }
 prometheus-client = "0.22"
 prost = { version = "0.12.1" }
 prost-build = { version = "0.12.1" }
@@ -297,8 +298,8 @@ regex = "1.8.1"
 reqwest = { version = "0.12", default-features = false, features = [
     "json",
     "http2",
-    "rustls-tls",
-    "rustls-tls-native-roots",
+    "native-tls-vendored",
+    "native-tls-alpn",
 ] }
 reqwest-hickory-resolver = "0.1"
 rotbl = { git = "https://github.com/drmingdrmer/rotbl", tag = "v0.1.2-alpha.6", features = [] }

Cargo.toml

@@ -28,7 +28,7 @@ use poem::listener::Acceptor;
 use poem::listener::AcceptorExt;
 use poem::listener::IntoTlsConfigStream;
 use poem::listener::Listener;
-use poem::listener::RustlsConfig;
+use poem::listener::OpensslTlsConfig;
 use poem::listener::TcpListener;
 use poem::Endpoint;
 
@@ -52,7 +52,7 @@ impl HttpShutdownHandler {
     pub async fn start_service(
         &mut self,
         listening: SocketAddr,
-        tls_config: Option<RustlsConfig>,
+        tls_config: Option<OpensslTlsConfig>,
         ep: impl Endpoint + 'static,
         graceful_shutdown_timeout: Option<Duration>,
     ) -> Result<SocketAddr, HttpError> {
@@ -76,7 +76,7 @@ impl HttpShutdownHandler {
                 .into_stream()
                 .map_err(|err| HttpError::TlsConfigError(AnyError::new(&err)))?;
 
-            acceptor = acceptor.rustls(conf_stream).boxed();
+            acceptor = acceptor.openssl_tls(conf_stream).boxed();
         }
 
         let (tx, rx) = oneshot::channel();

src/common/http/src/http_shutdown_handlers.rs

@@ -29,8 +29,7 @@ use databend_common_meta_types::MetaNetworkError;
 use log::info;
 use log::warn;
 use poem::get;
-use poem::listener::RustlsCertificate;
-use poem::listener::RustlsConfig;
+use poem::listener::OpensslTlsConfig;
 use poem::Endpoint;
 use poem::EndpointExt;
 use poem::Route;
@@ -104,17 +103,10 @@ impl HttpService {
         route.data(self.meta_node.clone()).data(self.cfg.clone())
     }
 
-    fn build_tls(config: &Config) -> Result<RustlsConfig, MetaNetworkError> {
-        let conf = config.clone();
-
-        let tls_cert = std::fs::read(conf.admin_tls_server_cert.as_str())
-            .map_err(|e| MetaNetworkError::TLSConfigError(AnyError::new(&e)))?;
-
-        let tls_key = std::fs::read(conf.admin_tls_server_key)
-            .map_err(|e| MetaNetworkError::TLSConfigError(AnyError::new(&e)))?;
-
-        let certificate = RustlsCertificate::new().cert(tls_cert).key(tls_key);
-        let cfg = RustlsConfig::new().fallback(certificate);
+    fn build_tls(config: &Config) -> Result<OpensslTlsConfig, MetaNetworkError> {
+        let cfg = OpensslTlsConfig::new()
+            .cert_from_file(config.admin_tls_server_cert.as_str())
+            .key_from_file(config.admin_tls_server_key.as_str());
         Ok(cfg)
     }