Update tokio-rustls to 0.26.4, rustls to 0.23 (#12837)

tomasol · pchickey · web-flow · commit 6ce71e924758 · 2026-03-26T21:40:07.000Z
* Update `tokio-rustls` to 0.26.4, `rustls` to 0.23

This updates `rustls-webpki` from 0.102.x, which is vulnerable to
incorrect CRL distribution point matching (RUSTSEC-2026-0049),
to 0.103.10. Uses `ring` as the crypto backend to preserve existing
dependencies.

* cargo vets for update to rustls

We had previously exempted rustls, rustls-webpki, and tokio-rustls from
vetting. The exempted versions have been updated.

We were able to pull in a vet from mozilla for zeroize, which had
previously been exempted. I audited the (small) diff from the imported
audit version.

---------

Co-authored-by: Pat Hickey &lt;p.hickey@f5.com&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -426,8 +426,8 @@ libtest-mimic = "0.8.1"
 semver = { version = "1.0.27", default-features = false }
 ittapi = "0.4.0"
 libm = "0.2.16"
-tokio-rustls = "0.25.0"
-rustls = "0.22.0"
+tokio-rustls = { version = "0.26.4", default-features = false, features = ["ring", "tls12", "logging"] }
+rustls = { version = "0.23", default-features = false, features = ["ring", "tls12", "logging"] }
 tokio-native-tls = "0.3.1"
 native-tls = "0.2.11"
 tokio-openssl = "0.6.5"
diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml
@@ -6592,6 +6592,11 @@ who = "Nick Fitzgerald <fitzgen@gmail.com>"
 criteria = "safe-to-deploy"
 delta = "0.1.3 -> 0.1.5"
 
+[[audits.zeroize]]
+who = "Pat Hickey <p.hickey@f5.com>"
+criteria = "safe-to-deploy"
+delta = "1.8.1 -> 1.8.2"
+
 [[audits.zstd]]
 who = "Alex Crichton <alex@alexcrichton.com>"
 criteria = "safe-to-deploy"
diff --git a/supply-chain/config.toml b/supply-chain/config.toml
@@ -468,6 +468,10 @@ criteria = "safe-to-deploy"
 version = "0.22.4"
 criteria = "safe-to-deploy"
 
+[[exemptions.rustls]]
+version = "0.23.37"
+criteria = "safe-to-deploy"
+
 [[exemptions.rustls-pki-types]]
 version = "1.3.1"
 criteria = "safe-to-deploy"
@@ -476,6 +480,10 @@ criteria = "safe-to-deploy"
 version = "0.102.2"
 criteria = "safe-to-deploy"
 
+[[exemptions.rustls-webpki]]
+version = "0.103.10"
+criteria = "safe-to-deploy"
+
 [[exemptions.rusty-fork]]
 version = "0.3.0"
 criteria = "safe-to-deploy"
@@ -528,6 +536,10 @@ criteria = "safe-to-deploy"
 version = "0.25.0"
 criteria = "safe-to-deploy"
 
+[[exemptions.tokio-rustls]]
+version = "0.26.4"
+criteria = "safe-to-deploy"
+
 [[exemptions.typenum]]
 version = "1.15.0"
 criteria = "safe-to-deploy"
@@ -564,10 +576,6 @@ criteria = "safe-to-deploy"
 version = "0.4.0"
 criteria = "safe-to-deploy"
 
-[[exemptions.zeroize]]
-version = "1.7.0"
-criteria = "safe-to-deploy"
-
 [[exemptions.zip]]
 version = "0.6.6"
 criteria = "safe-to-deploy"
diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock
@@ -3697,6 +3697,16 @@ criteria = "safe-to-deploy"
 version = "0.1.3"
 aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
 
+[[audits.mozilla.audits.zeroize]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "1.8.1"
+notes = """
+This code DOES contain unsafe code required to internally call volatiles
+for deleting data. This is expected and documented behavior.
+"""
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
 [[audits.mozilla.audits.zerovec]]
 who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
 criteria = "safe-to-deploy"
