[PR #2001] [CLOSED] Separate default `rustls::ClientConfig` for each protocol #2751

New issue

Closed

opened 2026-03-16 11:06:17 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:06:17 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/2001
Author: @daxpedda
Created: 8/21/2023
Status: ❌ Closed

Base: main ← Head: alpn-config

📝 Commits (7)

14f6833 Add webpki-roots and native-certs features
59aeb66 Fallible rustls-native-certs initialization
e9ca987 Store ClientConfig per connection provider
8a75049 Use RootCertStore::add_parsable_certificates()
de614db Fix example requiring root certificates
140966b Make QuicClientStreamBuilder construction non-fallible
98afd7c Separate default rustls::ClientConfig for each protocol

📊 Changes

18 files changed (+468 additions, -125 deletions)

View changed files

📝 Cargo.lock (+15 -3)
📝 Cargo.toml (+2 -2)
📝 crates/client/Cargo.toml (+3 -1)
📝 crates/proto/Cargo.toml (+7 -4)
📝 crates/proto/src/error.rs (+7 -0)
📝 crates/proto/src/https/https_client_stream.rs (+28 -6)
📝 crates/proto/src/quic/mod.rs (+1 -1)
📝 crates/proto/src/quic/quic_client_stream.rs (+36 -11)
📝 crates/resolver/Cargo.toml (+5 -1)
📝 crates/resolver/examples/custom_provider.rs (+24 -6)
📝 crates/resolver/src/config.rs (+2 -0)
📝 crates/resolver/src/https.rs (+37 -22)
📝 crates/resolver/src/name_server/connection_provider.rs (+72 -9)
📝 crates/resolver/src/quic.rs (+117 -15)
📝 crates/resolver/src/tls/dns_over_rustls.rs (+74 -31)
📝 crates/resolver/src/tls/mod.rs (+2 -3)
📝 util/Cargo.toml (+5 -2)
📝 util/src/dns.rs (+31 -8)

📄 Description

This PR separates the default configuration used by each protocol to allow correct default ALPN and SNI configuration.

The certificates provided by webpki-roots are parsed only once, the ClientConfig is cloned and then modified for each protocol. The clone doesn't actually clone the certificates, as they are stored in an Arc<WebPkiVerifier>, which avoids re-parsing the certificates over and over again but more importantly doesn't multiply the memory usage for each cloned ClientConfig.

See #1990 for more details on the issue addressed here.

Based on #1943.
Fixes #1990.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/2001 **Author:** [@daxpedda](https://github.com/daxpedda) **Created:** 8/21/2023 **Status:** ❌ Closed **Base:** `main` ← **Head:** `alpn-config` --- ### 📝 Commits (7) - [`14f6833`](https://github.com/hickory-dns/hickory-dns/commit/14f6833a79319c516196655c8026d2aa6ab5fb93) Add `webpki-roots` and `native-certs` features - [`59aeb66`](https://github.com/hickory-dns/hickory-dns/commit/59aeb66cb5ae99730d0e3788208422202e3ad990) Fallible `rustls-native-certs` initialization - [`e9ca987`](https://github.com/hickory-dns/hickory-dns/commit/e9ca9877079c0a404c6361f86c449301a119b0ba) Store `ClientConfig` per connection provider - [`8a75049`](https://github.com/hickory-dns/hickory-dns/commit/8a75049bd373ff30ce81509a94d227f72dcf40ed) Use `RootCertStore::add_parsable_certificates()` - [`de614db`](https://github.com/hickory-dns/hickory-dns/commit/de614db66188297aa49f78cbf1bf261b61fb4c2e) Fix example requiring root certificates - [`140966b`](https://github.com/hickory-dns/hickory-dns/commit/140966b7a434b8d3ea8c126c02bf431f8aa0ea1c) Make `QuicClientStreamBuilder` construction non-fallible - [`98afd7c`](https://github.com/hickory-dns/hickory-dns/commit/98afd7cd2e8c45c37816b5829c25aeabaabcec1c) Separate default `rustls::ClientConfig` for each protocol ### 📊 Changes **18 files changed** (+468 additions, -125 deletions) <details> <summary>View changed files</summary> 📝 `Cargo.lock` (+15 -3) 📝 `Cargo.toml` (+2 -2) 📝 `crates/client/Cargo.toml` (+3 -1) 📝 `crates/proto/Cargo.toml` (+7 -4) 📝 `crates/proto/src/error.rs` (+7 -0) 📝 `crates/proto/src/https/https_client_stream.rs` (+28 -6) 📝 `crates/proto/src/quic/mod.rs` (+1 -1) 📝 `crates/proto/src/quic/quic_client_stream.rs` (+36 -11) 📝 `crates/resolver/Cargo.toml` (+5 -1) 📝 `crates/resolver/examples/custom_provider.rs` (+24 -6) 📝 `crates/resolver/src/config.rs` (+2 -0) 📝 `crates/resolver/src/https.rs` (+37 -22) 📝 `crates/resolver/src/name_server/connection_provider.rs` (+72 -9) 📝 `crates/resolver/src/quic.rs` (+117 -15) 📝 `crates/resolver/src/tls/dns_over_rustls.rs` (+74 -31) 📝 `crates/resolver/src/tls/mod.rs` (+2 -3) 📝 `util/Cargo.toml` (+5 -2) 📝 `util/src/dns.rs` (+31 -8) </details> ### 📄 Description This PR separates the default configuration used by each protocol to allow correct default ALPN and SNI configuration. The certificates provided by `webpki-roots` are parsed only once, the `ClientConfig` is cloned and then modified for each protocol. The clone doesn't actually clone the certificates, as they are stored in an `Arc<WebPkiVerifier>`, which avoids re-parsing the certificates over and over again but more importantly doesn't multiply the memory usage for each cloned `ClientConfig`. See #1990 for more details on the issue addressed here. Based on #1943. Fixes #1990. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>