Use OpenSSL on macOS systems

Cargo.toml

@@ -54,6 +54,12 @@ winauth = "0.0.4"
 [target.'cfg(unix)'.dependencies]
 libgssapi = { version = "0.4.4", optional = true, default-features = false }
 
+[target.'cfg(any(target_os = "macos", target_os = "ios"))'.dependencies]
+tls-impl = { version = "0.2", optional = true, package = "opentls", features = ["io-async-std"]}
+
+[target.'cfg(not(any(target_os = "macos", target_os = "ios")))'.dependencies]
+tls-impl = { version = "0.3", optional = true, package = "async-native-tls", features = ["runtime-async-std"]}
+
 [dependencies.tokio]
 version = "1.0"
 optional = true
@@ -83,10 +89,6 @@ version = "0.3"
 [dependencies.futures-util]
 version = "0.3"
 
-[dependencies.async-native-tls]
-optional = true
-version = "0.3"
-
 [dependencies.tracing]
 features = ["log"]
 version = "0.1"
@@ -141,10 +143,15 @@ all = [
     "bigdecimal"
 ]
 default = ["tls", "tds73"]
-tls = ["async-native-tls"]
+tls = ["tls-impl"]
+vendored-openssl = ["tls-impl/vendored"]
 tds73 = []
 docs = []
 sql-browser-async-std = ["async-std"]
 sql-browser-tokio = ["tokio", "tokio-util"]
 integrated-auth-gssapi = ["libgssapi"]
 bigdecimal = [ "bigdecimal_", "num-bigint" ]
+
+[dependencies.async-native-tls]
+optional = true
+version = "0.3"

README.md

@@ -40,6 +40,7 @@ things:
 | `sql-browser-async-std` | SQL Browser implementation for the `TcpStream` of async-std.                 | `disabled` |
 | `sql-browser-tokio`     | SQL Browser implementation for the `TcpStream` of Tokio.                     | `disabled` |
 | `integrated-auth-gssapi`     | Support for using Integrated Auth via GSSAPI                            | `disabled` |
+| `vendored-openssl` | On Linux and macOS platforms links statically against a vendored version of OpenSSL | `disabled` |
 
 ### Supported protocols
 
@@ -80,7 +81,9 @@ tiberius = { version = "0.X", default-features=false, features=["chrono"] }
 
 #### MacOS Catalina and TLS
 
-Some SQL Server databases, such as the public Docker image use a TLS certificate not accepted by Apple's Secure Transport. For now, to get Tiberius working on macOS Catalina, it is necessary to upgrade your server's certificate into [one supported by Apple](https://support.apple.com/en-ca/HT210176). Additionally using the `NotSupported` variant, or providing `encrypt=DANGER_PLAINTEXT` in the connection string disables TLS completely, and allows development on macOS against a local SQL Server instance.
+Some SQL Server databases, such as the public Docker image use a TLS certificate not accepted by Apple's Secure Transport. Therefore on macOS systems we use OpenSSL instead of Secure Transport, meaning by default Tiberius requires a working OpenSSL installation. By using a feature flag `vendored-openssl` the compilation links statically to a vendored version of OpenSSL, allowing compilation on systems with no OpenSSL installed.
+
+Please be aware of the security implications if deciding to use vendoring.
 
 **This will disable encryption for your ENTIRE crate**  
 

src/client/connection.rs

@@ -29,6 +29,10 @@ use pretty_hex::*;
 use std::ops::Deref;
 use std::{cmp, fmt::Debug, io, pin::Pin, task};
 use task::Poll;
+#[cfg(all(feature = "tls", any(target_os = "macos", target_os = "ios")))]
+use tls_impl::async_io::TlsConnector;
+#[cfg(all(feature = "tls", all(not(target_os = "macos"), not(target_os = "ios"))))]
+use tls_impl::TlsConnector;
 use tracing::{event, Level};
 #[cfg(windows)]
 use winauth::{windows::NtlmSspiBuilder, NextBytes};
@@ -364,7 +368,7 @@ impl<S: AsyncRead + AsyncWrite + Unpin + Send> Connection<S> {
         if encryption != EncryptionLevel::NotSupported {
             event!(Level::INFO, "Performing a TLS handshake");
 
-            let mut builder = async_native_tls::TlsConnector::new();
+            let mut builder = TlsConnector::new();
 
             if trust_cert {
                 event!(

src/client/tls.rs

@@ -3,8 +3,6 @@ use crate::tds::codec::{Decode, Encode, PacketHeader, PacketStatus, PacketType};
 #[cfg(feature = "tls")]
 use crate::tds::HEADER_BYTES;
 #[cfg(feature = "tls")]
-use async_native_tls::TlsStream;
-#[cfg(feature = "tls")]
 use bytes::BytesMut;
 #[cfg(feature = "tls")]
 use futures::ready;
@@ -15,6 +13,10 @@ use std::{
     pin::Pin,
     task::{self, Poll},
 };
+#[cfg(all(feature = "tls", any(target_os = "macos", target_os = "ios")))]
+use tls_impl::async_io::TlsStream;
+#[cfg(all(feature = "tls", all(not(target_os = "macos"), not(target_os = "ios"))))]
+use tls_impl::TlsStream;
 #[cfg(feature = "tls")]
 use tracing::{event, Level};
 

src/error.rs

@@ -70,8 +70,8 @@ impl From<uuid::Error> for Error {
 
 #[cfg(feature = "tls")]
 #[cfg_attr(feature = "docs", doc(cfg(feature = "tls")))]
-impl From<async_native_tls::Error> for Error {
-    fn from(v: async_native_tls::Error) -> Self {
+impl From<tls_impl::Error> for Error {
+    fn from(v: tls_impl::Error) -> Self {
         Error::Tls(format!("{}", v))
     }
 }