THRIFT-6097: Add rustls client and server support#3638
Open
HTHou wants to merge 1 commit into
Open
Conversation
HTHou
marked this pull request as ready for review
July 16, 2026 09:15
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds optional TLS support to the Rust runtime via rustls, introducing new TLS-backed client/server channels and a server TLS listen entrypoint while keeping all TLS policy and trust configuration under application control. It also adds Rust TLS cross-tests and updates Rust/threat-model documentation to reflect the new TLS capability.
Changes:
- Add optional
rustls-backed transports (TTlsClientChannel,TTlsServerChannel) and aTSharedChanneladapter to safely split non-cloneable bidirectional streams. - Add
TServer::listen_tls(Rust) and wire up Rust cross-test client/server binaries for--ssl. - Add Rust TLS/shared-channel tests plus documentation updates (Rust README + threat model), and enable TLS socket mode in the cross-test matrix.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| test/tests.json | Adds ip-ssl socket mode to the cross-test matrix. |
| test/rs/src/bin/test_server.rs | Enables --ssl for Rust test server and uses listen_tls with a test rustls config. |
| test/rs/src/bin/test_client.rs | Enables --ssl for Rust test client and connects via TTlsClientChannel with a test verifier. |
| test/rs/Cargo.toml | Adds rustls deps for Rust cross-tests and enables Thrift’s rustls feature. |
| lib/rs/tests/tls.rs | Adds unit tests for TLS handshake behavior and error messaging. |
| lib/rs/tests/shared_channel.rs | Adds tests for TSharedChannel split behavior and poison handling. |
| lib/rs/src/transport/tls.rs | Introduces TTlsClientChannel / TTlsServerChannel implementations using rustls. |
| lib/rs/src/transport/shared.rs | Adds TSharedChannel wrapper to share/split non-cloneable I/O safely. |
| lib/rs/src/transport/mod.rs | Wires in new transport modules and exports new channel types (feature-gated for TLS). |
| lib/rs/src/server/threaded.rs | Adds TServer::listen_tls (feature-gated) using TTlsServerChannel. |
| lib/rs/README.md | Documents Rust TLS feature usage and updates stated Rust compatibility notes. |
| lib/rs/Makefile.am | Expands Rust checks/tests to include --all-features and explicit rustls build coverage. |
| lib/rs/Cargo.toml | Adds optional rustls dependency and feature flag; adds dev-dep rustls for tests. |
| doc/thrift-threat-model.md | Updates threat model to reflect Rust TLS support and configuration-controlled validation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Client: rs Co-Authored-By: OpenAI Codex (GPT-5) <noreply@openai.com>
Member
Code reviewNo issues found. Checked for bugs and CLAUDE.md compliance. 🤖 Generated with Claude Code |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
TTlsClientChannelandTTlsServerChanneltransportsTServer::listen_tlswhile keeping TLS configuration, trust anchors, client authentication, protocol versions, and crypto-provider selection under application controlTSharedChannelso a non-cloneable bidirectional TLS stream can be split safely for Thrift input and output transportsThis addresses THRIFT-6097.
Compatibility
The new
rustlsfeature is optional and is not enabled by Thrift's default feature set, so existing users do not acquire a TLS dependency unless they opt in. The runtime does not select a crypto provider or load certificates/system roots; callers pass a fully configured rustlsClientConfigorServerConfig.The Rust binding and generated code retain their Rust 1.65 baseline. Enabling the optional
rustlsfeature requires Rust 1.71 or newer, matching rustls 0.23's declared MSRV.Dependency licensing
rustlsis an optional library dependency (0.23.42currently resolved), licensed underApache-2.0 OR ISC OR MIT; this contribution consumes it under the Apache-2.0 option.rustls-pemfileis used only by the Rust cross-test binaries (2.2.0currently resolved), with the sameApache-2.0 OR ISC OR MITterms and Apache-2.0 option.ringprovider only for Rust unit/cross-tests (0.17.14currently resolved); the library feature itself remains provider-neutral.ringis licensed underApache-2.0 AND ISC.rustls-webpki/untrusted: ISC;subtle: BSD-3-Clause; andrustls-pki-types/once_cell/zeroize: Apache-2.0/MIT).All of these are ASF Category A licenses; no Category B or Category X dependency is introduced. No dependency source or binary is vendored into the Apache Thrift source distribution: Cargo downloads the crates separately at build/test time. Therefore the root
LICENSEandNOTICEremain unchanged, following ASF guidance for non-bundled dependencies.Validation
cargo fmt --all -- --check(lib/rsandtest/rs)cargo check --no-default-features --features rustls(lib/rs)cargo test --all-features(lib/rs: 175 unit tests, 2 shared-channel tests, 3 TLS tests, and 23 doc tests)cargo test(test/rs)python3 test/test.py --server rs --client rs -R ip-ssl -j 1(16/16 TLS combinations passed)AI assistance
This change was developed with OpenAI Codex (GPT-5). The single commit contains the corresponding
Co-Authored-Bytrailer.Checklist
THRIFT-6097:.[skip ci]is not used.