hyper::Request::builder() needs -- switches?

I am using the above to build https requests.
Unfortunately, OpenSSL has been changed yet again, insisting on longer keys, which the site that I am connecting to does not support. A common problem, I imagine.

I have been told that using an https switch --ciphers 'DEFAULT:!DH' might fix this.
Whereas I can do this perfectly well when building wget requests manually, the 'very helpful' Request::builder() does not seem to have any facility for setting these switches. At least not one that I can see in the documentation.

Any advice on how to get around this problem? Short of making system calls to shell files, thus, in effect, giving up on Rust?

hyper itself does not know anything about OpenSSL. You can configure a openssl::ssl::SslConnector with that cipher list and use that with hyper_openssl.

Also maybe tell the people running that site to pull their TLS implementation out of the Bronze Age.

I am currently using hyper_tls. Is there a way of setting --cipher with that, or at least with any crate that is not specific to a particular version of particular openssl library?

And no, I can not persuade the "Bronze Age" people to change, as they are a major bank.

PS. I still do not see any way to actually configure it in, either with hyper_tls or with hyper_openssl.

It looks like hyper_openssl's HttpsConnector::with_connector() lets you provide your own openssl::ssl::SslConnectorBuilder..Can you use any of the methods on SslConnectorBuilder to do what you want (e.g. SslConnectorBuilder::set_options() or SslConnectorBuilder::set_cipher_list())?

Usually for things like this I'll reach for something like reqwest which is a high level web client that papers over the annoyances of OpenSSL and the myriad of different ways you can do TLS on the different platforms.

I don't see how this will help...

If you want to not go through hyper and mess about with the various ways OpenSSL is configured, how about using libcurl? It fills the same niche as reqwest (high level wrapper that abstracts over the transport mechanism), and will probably feel familiar if you've used libcurl in C...

It's also been around for ages, so I'm sure there'll be all the knobs and levers you need to tweak how TLS is done.

Thanks. I am considering moving back to reqwest now that it finally also supports async but will it work without setting the --cipher option?

The --cipher thing is probably a wget specific feature, and reqwest probably handles choosing ciphers differently, so the question is if reqwest can use the specific cipher. Maybe it works by default, but if not, you would configure the tls settings here.

I have now re-written my code using reqwest, making the compilation and executable much bigger, but I still get the same error.

I have tried all sorts of things and finally, using rustls-tls seems to do the trick!!!

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.