Upcoming change with crates.io, SNI support required

Good morning! Heroku (where crates.io is hosted) announced awhile ago that SSL is available through SNI and will be gaining extra features in the future. We’ve also received a request internally from Mozilla to move over to this system. Currently crates.io has an “endpoint” SSL configuration meaning we have a dedicated IP for crates.io and SSL connections.

The downside of this transition, however, is that SNI will be required to connect to crates.io. SNI is a pretty old feature at this point and Heroku has a nifty compatibility chart. Seeing how crates.io is not primarily accessed through browsers, however, I’d like to both canvas the community and give everyone a heads up about this change.

If you answer yes to any of these questions, please take a moment to test things out! (instructions below)

• Do you access crates.io with a tool that’s not Cargo?
• Do you access crates.io with a non-official Cargo binary?
• Do you visit crates.io with an ancient tool/browser?

If you visit crates.io in a modern browser and/or otherwise use official Cargo builds, then you should have nothing to worry about. If you answered “yes” to any of those questions, however, you may wish to verify to see if your tool/browser supports SNI.

Eventually I’ll change the DNS for crates.io to point to crates.io.herokudns.com. You can test out this change locally by forcing crates.io to resolve to the IPs that crates.io.herokudns.com. If you’re on Linux/OSX you can test this out as follows.

First, you can determine an IP:

host crates.io.herokudns.com

If a number of IP addresses are returned, you can just copy one. Next, open up /etc/hosts and add this line:

$ip crates.io

For example I added this locally:

184.72.248.171 crates.io

Next, you can access crates.io with your tool locally. For example I ran cargo update && cargo fetch.

Please respond here or otherwise contact me if any issues arise! We’d like to make this transition in the next week or so, and we’d ideally like to ensure there are no service disruptions along the way!

Oh so I just realized that we didn’t actually have a record for www.crates.io previously, so I’ve set it up to point to Heroku’s SNI infrastructure.

If you’re curious if your browser works, you can visit https://www.crates.io and if it works then you’re good and if not let me know!

This trick can work for Windows too. The hosts file is at C:\Windows\System32\drivers\etc\hosts and has the same layout.

Oh awesome, thanks for the tip!

The SNI wiki page has a nice Support chart too. For tooling, I notice that SNI was added in cURL 7.18.1 and wget 1.14 – these versions are covered in RHEL6+, but not RHEL5. A lot of the language support (Perl, Python, Ruby) is only covered in RHEL7.

That said, I think this will still be OK for us.

Ok I’m going to flip the switch by updating our DNS. The old infrastructure will continue to be in place though so we can switch back if necessary. If any problems arise, please let me know!

Hmm, it does mean that RHEL5 can no longer install with curl https://sh.rustup.rs -sSf | sh. But I downloaded rustup-init elsewhere and transferred it, and from there everything works fine.

RHEL5 is EOL on March 31st, will rustup need to continue to support it?

Well, technically it goes into ELS, “I’m not dead yet!” But it doesn’t bother me if this isn’t supported. I only noticed because I’m trying to figure out rust#37874 which fails on EL6, but works on EL7 and EL5.

@cuviper FWIW rustup has always require SNI I believe

Really? Guess I just never tried it.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.