Skip to content

Replace OpenSSL with rustls #1928

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
thomas-zahner wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

Replace OpenSSL with rustls #1928

thomas-zahner wants to merge 6 commits into from

Conversation

@thomas-zahner
Copy link
Member

@thomas-zahner thomas-zahner commented Nov 19, 2025

Eventually closes #1721

This is a draft not yet quite ready to be merged.

@thomas-zahner thomas-zahner mentioned this pull request Nov 19, 2025
Open
@thomas-zahner thomas-zahner force-pushed the rustls branch 2 times, most recently from cb636f5 to d645040 Compare November 19, 2025 20:19
@thomas-zahner
Copy link
Member Author

thomas-zahner commented Nov 20, 2025

@mre If we see that this PR works in CI and on different machines for users, do you agree that it makes sense to fully get rid of the OpenSSL approach? Or do you think we should keep it and only change the default?

@thomas-zahner thomas-zahner mentioned this pull request Nov 24, 2025
Draft
@mre
Copy link
Member

mre commented Nov 24, 2025

TBH, for now I would keep it and change the default. At least for one version. Then we can tell people to switch back to OpenSSL if there are any problems. We could mention that in the release-notes. On the other side, I'm flexible here. That's just what I would do, but we can also go all-in on rustls. 😆 Worst case, we release a patch version with the OpenSSL option available again. So whatever you believe is the best tradeoff between simplicity and user experience.

@thomas-zahner
Copy link
Member Author

thomas-zahner commented Nov 26, 2025

This unfortunately is blocked by reacherhq/check-if-email-exists#1625. The problem is that the latest version of check-if-email-exists on crates.io uses openSSL without an option to use ruslts.

@kemingy
Copy link
Contributor

kemingy commented Nov 27, 2025

I just found that the check-if-email-exists is dual licensed under AGPL-3 or Reacher Commercial license.

But it's enabled by default for lychee CLI:

lychee/lychee-bin/Cargo.toml

Line 96 in caf63cc

default = ["native-tls", "email-check"]

As far as I know, it's not compatible with the Apache2 + MIT license.

Maybe we need to open another issue to discuss this. What do you think? @mre

@thomas-zahner
Copy link
Member Author

thomas-zahner commented Nov 27, 2025

@kemingy Thanks for pointing it out. This is known since 2022 see #594. Unfortunately, we never really prioritised the issue. But you are right that this is quite problematic and now as it even blocks the transition to rustls I will try to resolve it as soon as possible.

@thomas-zahner thomas-zahner mentioned this pull request Dec 26, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use rustls by default

3 participants

@thomas-zahner @mre @kemingy