rustup 0.1.9 is out. This release includes a critical security fix, so please upgrade.

In this case rustup wasn’t doing TLS hostname verification, which is absolutely required for TLS to be secure. Hyper uses OpenSSL for TLS by default but at this point doesn’t implement hostname verification.

To solve this I used @sfackler’s new rust-native-tls crate. This provides TLS backed by the most appropriate implementation for each platform, including Windows’ schannel and OS X’s security framework. Most importantly it includes a hostname verifier for OpenSSL. Here’s where it’s wired up to Hyper.

For those using Hyper this is probably the right way to set up TLS at the moment. It’s so important to this get right I expect it will get easier to do quickly.

Thanks @seanmonstar and @sfackler for helping me sort this out.

0.1.9

• Do TLS hostname verification.
• Expand rustup show.
• Add rustup doc.
• Refuse to install if it looks like other Rust installations are present.
• Update www platform detection for FreeBSD.
• Fix color display during telemetry capture.
• Make it less of an error for the self-update hash to be wrong.