tweak(labrinth): drop last remaining dependency on system OpenSSL (#3982)

We standarized on using `rustls` as a TLS implementation across the monorepo, which is written in Rust and has better ergonomics, integration with the Rust ecosystem, and consistent behavior among platforms. However, the Labrinth Clickhouse client was the last remaining exception to this, using the native, OS-provided TLS implementation, which on Linux is OpenSSL and requires developers and Docker images to install OpenSSL development packages to build Labrinth, in addition to introducing an additional runtime dependency to Labrinth. Let's make the process of building Labrinth slightly simpler by switching such client to `rustls` as well, which results in finally using the same TLS implementation for everything, a simplified build and distribution process, less transitive dependencies, and potentially smaller binaries (since `rustls` was already being pulled in for, e.g., the SMTP client).
2025-07-12 15:39:41 +02:00 · 2025-07-12 15:39:41 +02:00 · a945e9b005
commit a945e9b005
parent b943638afb
6 changed files with 22 additions and 119 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1706,7 +1706,7 @@ dependencies = [
 "bitflags 2.9.1",
 "core-foundation 0.10.0",
 "core-graphics-types",
- "foreign-types 0.5.0",
+ "foreign-types",
 "libc",
 ]

@ -2699,15 +2699,6 @@ version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"

-[[package]]
-name = "foreign-types"
-version = "0.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
-dependencies = [
- "foreign-types-shared 0.1.1",
-]
-
 [[package]]
 name = "foreign-types"
 version = "0.5.0"
@ -2715,7 +2706,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d737d9aa519fb7b749cbc3b962edcf310a8dd1f4b67c91c4f83975dbdd17d965"
 dependencies = [
 "foreign-types-macros",
- "foreign-types-shared 0.3.1",
+ "foreign-types-shared",
 ]

 [[package]]
@ -2729,12 +2720,6 @@ dependencies = [
 "syn 2.0.101",
 ]

-[[package]]
-name = "foreign-types-shared"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
-
 [[package]]
 name = "foreign-types-shared"
 version = "0.3.1"
@ -3678,11 +3663,10 @@ dependencies = [

 [[package]]
 name = "hyper-rustls"
-version = "0.27.5"
+version = "0.27.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2d191583f3da1305256f22463b9bb0471acad48a4e534a5218b9963e9c1f59b2"
+checksum = "e3c93eb611681b207e1fe55d5a71ecf91572ec8a6705cdb6857f7d8d5242cf58"
 dependencies = [
- "futures-util",
 "http 1.3.1",
 "hyper 1.6.0",
 "hyper-util",
@ -3692,7 +3676,7 @@ dependencies = [
 "tokio",
 "tokio-rustls 0.26.2",
 "tower-service",
- "webpki-roots 0.26.11",
+ "webpki-roots 1.0.0",
 ]

 [[package]]
@ -3708,22 +3692,6 @@ dependencies = [
 "tower-service",
 ]

-[[package]]
-name = "hyper-tls"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0"
-dependencies = [
- "bytes",
- "http-body-util",
- "hyper 1.6.0",
- "hyper-util",
- "native-tls",
- "tokio",
- "tokio-native-tls",
- "tower-service",
-]
-
 [[package]]
 name = "hyper-util"
 version = "0.1.14"
@ -4389,7 +4357,7 @@ dependencies = [
 "futures-util",
 "hex",
 "hmac",
- "hyper-tls",
+ "hyper-rustls 0.27.7",
 "hyper-util",
 "iana-time-zone",
 "image",
@ -4986,23 +4954,6 @@ dependencies = [
 "winapi",
 ]

-[[package]]
-name = "native-tls"
-version = "0.2.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87de3442987e9dbec73158d5c715e7ad9072fda936bb03d19d7fa10e00520f0e"
-dependencies = [
- "libc",
- "log",
- "openssl",
- "openssl-probe",
- "openssl-sys",
- "schannel",
- "security-framework 2.11.1",
- "security-framework-sys",
- "tempfile",
-]
-
 [[package]]
 name = "ndk"
 version = "0.9.0"
@ -5577,50 +5528,12 @@ dependencies = [
 "pathdiff",
 ]

-[[package]]
-name = "openssl"
-version = "0.10.72"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fedfea7d58a1f73118430a55da6a286e7b044961736ce96a16a17068ea25e5da"
-dependencies = [
- "bitflags 2.9.1",
- "cfg-if",
- "foreign-types 0.3.2",
- "libc",
- "once_cell",
- "openssl-macros",
- "openssl-sys",
-]
-
-[[package]]
-name = "openssl-macros"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.101",
-]
-
 [[package]]
 name = "openssl-probe"
 version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"

-[[package]]
-name = "openssl-sys"
-version = "0.9.108"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e145e1651e858e820e4860f7b9c5e169bc1d8ce1c86043be79fa7b7634821847"
-dependencies = [
- "cc",
- "libc",
- "pkg-config",
- "vcpkg",
-]
-
 [[package]]
 name = "option-ext"
 version = "0.2.0"
@ -6850,7 +6763,7 @@ dependencies = [
 "http-body 1.0.1",
 "http-body-util",
 "hyper 1.6.0",
- "hyper-rustls 0.27.5",
+ "hyper-rustls 0.27.7",
 "hyper-util",
 "js-sys",
 "log",
@ -7980,7 +7893,7 @@ dependencies = [
 "bytemuck",
 "cfg_aliases",
 "core-graphics",
- "foreign-types 0.5.0",
+ "foreign-types",
 "js-sys",
 "log",
 "objc2 0.5.2",
@ -9292,16 +9205,6 @@ dependencies = [
 "syn 2.0.101",
 ]

-[[package]]
-name = "tokio-native-tls"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
-dependencies = [
- "native-tls",
- "tokio",
-]
-
 [[package]]
 name = "tokio-rustls"
 version = "0.24.1"
--- a/Cargo.toml
+++ b/Cargo.toml
@ -67,7 +67,12 @@ heck = "0.5.0"
 hex = "0.4.3"
 hickory-resolver = "0.25.2"
 hmac = "0.12.1"
-hyper-tls = "0.6.0"
+hyper-rustls = { version = "0.27.7", default-features = false, features = [
+  "http1",
+  "native-tokio",
+  "ring",
+  "tls12",
+] }
 hyper-util = "0.1.14"
 iana-time-zone = "0.1.63"
 image = { version = "0.25.6", default-features = false, features = ["rayon"] }
--- a/apps/docs/src/content/docs/contributing/labrinth.md
+++ b/apps/docs/src/content/docs/contributing/labrinth.md
@ -19,8 +19,6 @@ From there, you can create the database and perform all database migrations with
 sqlx database setup
 ```

-Finally, if on Linux, you will need the OpenSSL library. On Debian-based systems, this involves the `pkg-config` and `libssl-dev` packages.
-
 To enable labrinth to create a project, you need to add two things.

 1. An entry in the `loaders` table.
--- a/apps/labrinth/Cargo.toml
+++ b/apps/labrinth/Cargo.toml
@ -36,7 +36,7 @@ paste.workspace = true
 meilisearch-sdk = { workspace = true, features = ["reqwest"] }
 rust-s3.workspace = true
 reqwest = { workspace = true, features = ["http2", "rustls-tls-webpki-roots", "json", "multipart"] }
-hyper-tls.workspace = true
+hyper-rustls.workspace = true
 hyper-util.workspace = true

 serde = { workspace = true, features = ["derive"] }
--- a/apps/labrinth/Dockerfile
+++ b/apps/labrinth/Dockerfile
@ -11,7 +11,7 @@ LABEL org.opencontainers.image.description="Modrinth API"
 LABEL org.opencontainers.image.licenses=AGPL-3.0

 RUN apt-get update \
-  && apt-get install -y --no-install-recommends ca-certificates openssl dumb-init curl \
+  && apt-get install -y --no-install-recommends ca-certificates dumb-init curl \
  && rm -rf /var/lib/apt/lists/*

 COPY --from=build /usr/src/labrinth/target/release/labrinth /labrinth/labrinth
--- a/apps/labrinth/src/clickhouse/mod.rs
+++ b/apps/labrinth/src/clickhouse/mod.rs
@ -1,5 +1,4 @@
-use hyper_tls::{HttpsConnector, native_tls};
-use hyper_util::client::legacy::connect::HttpConnector;
+use hyper_rustls::HttpsConnectorBuilder;
 use hyper_util::rt::TokioExecutor;

 mod fetch;
@ -15,13 +14,11 @@ pub async fn init_client_with_database(
    database: &str,
 ) -> clickhouse::error::Result<clickhouse::Client> {
    let client = {
-        let mut http_connector = HttpConnector::new();
-        http_connector.enforce_http(false); // allow https URLs
-
-        let tls_connector =
-            native_tls::TlsConnector::builder().build().unwrap().into();
-        let https_connector =
-            HttpsConnector::from((http_connector, tls_connector));
+        let https_connector = HttpsConnectorBuilder::new()
+            .with_native_roots()?
+            .https_or_http()
+            .enable_all_versions()
+            .build();
        let hyper_client =
            hyper_util::client::legacy::Client::builder(TokioExecutor::new())
                .build(https_connector);