fix: use rustls for https client support

Pulls in a dependency on `rustls` to configure the TLS config for HTTPS
clients. Refactored the `pd_channel` logic into a reusable class method.

Cargo.toml

@@ -212,6 +212,7 @@ rand_chacha                      = { version = "0.3.1" }
 rand_core                        = { version = "0.6.4" }
 regex                            = { version = "1.8.1" }
 rocksdb                          = { version = "0.21.0" }
+rustls                           = { version = "0.23.21" }
 serde                            = { version = "1.0.186" }
 serde_json                       = { version = "1.0.96" }
 serde_unit_struct                = { version = "0.1" }

crates/bin/pcli/Cargo.toml

@@ -88,6 +88,7 @@ rand_chacha = {workspace = true}
 rand_core = {workspace = true, features = ["getrandom"]}
 regex = {workspace = true}
 rpassword = "7"
+rustls = {workspace = true}
 serde = {workspace = true, features = ["derive"]}
 serde_json = {workspace = true}
 serde_with = {workspace = true, features = ["hex"]}

crates/bin/pcli/src/command/tx.rs

@@ -1409,7 +1409,7 @@ impl TxCmd {
 
                 let mut noble_client = CosmosServiceClient::new(
                     Channel::from_shared(noble_node.to_string())?
-                        .tls_config(ClientTlsConfig::new())?
+                        .tls_config(ClientTlsConfig::new().with_webpki_roots())?
                         .connect()
                         .await?,
                 );

crates/bin/pcli/src/main.rs

@@ -5,6 +5,7 @@ use std::fs;
 
 use anyhow::{Context, Result};
 use clap::Parser;
+use rustls::crypto::aws_lc_rs;
 
 use pcli::{command::*, opt::Opt};
 
@@ -21,6 +22,12 @@ async fn main() -> Result<()> {
     // that tracing is set up even for wallet commands that don't build the `App`.
     opt.init_tracing();
 
+    // Initialize HTTPS support
+    // rustls::crypto::aws_lc_rs::default_provider().install_default();
+    aws_lc_rs::default_provider()
+        .install_default()
+        .expect("failed to initialize rustls support, via aws-lc-rs");
+
     //Ensure that the data_path exists, in case this is a cold start
     fs::create_dir_all(&opt.home)
         .with_context(|| format!("Failed to create home directory {}", opt.home))?;

crates/bin/pcli/src/network.rs

@@ -10,9 +10,9 @@ use penumbra_proto::{
 };
 use penumbra_stake::validator::Validator;
 use penumbra_transaction::{txhash::TransactionId, Transaction, TransactionPlan};
-use penumbra_view::ViewClient;
+use penumbra_view::{ViewClient, ViewServer};
 use std::{fs, future::Future};
-use tonic::transport::{Channel, ClientTlsConfig};
+use tonic::transport::Channel;
 use tracing::instrument;
 
 use crate::App;
@@ -177,19 +177,12 @@ impl App {
         Ok(())
     }
 
-    // TODO: why do we need this here but not in the view crate?
+    /// Convenience method for obtaining a `tonic::Channel` for the remote
+    /// `pd` endpoint, as configured for `pcli`.
     pub async fn pd_channel(&self) -> anyhow::Result<Channel> {
-        match self.config.grpc_url.scheme() {
-            "http" => Ok(Channel::from_shared(self.config.grpc_url.to_string())?
-                .connect()
-                .await?),
-            "https" => Ok(Channel::from_shared(self.config.grpc_url.to_string())?
-                .tls_config(ClientTlsConfig::new())?
-                .connect()
-                .await?),
-            other => Err(anyhow::anyhow!("unknown url scheme {other}"))
-                .with_context(|| format!("could not connect to {}", self.config.grpc_url)),
-        }
+        ViewServer::get_pd_channel(self.config.grpc_url.clone())
+            .await
+            .context(format!("could not connect to {}", self.config.grpc_url))
     }
 
     pub async fn tendermint_proxy_client(

crates/bin/pclientd/Cargo.toml

@@ -38,6 +38,7 @@ penumbra-view = {workspace = true}
 prost = {workspace = true}
 rand = {workspace = true}
 rand_core = {workspace = true, features = ["getrandom"]}
+rustls = {workspace = true}
 serde = {workspace = true, features = ["derive"]}
 serde_json = {workspace = true}
 serde_with = {workspace = true, features = ["hex"]}

crates/bin/pclientd/src/lib.rs

@@ -298,11 +298,7 @@ impl Opt {
                     .load_or_init_sqlite(&config.full_viewing_key, &config.grpc_url)
                     .await?;
 
-                let proxy_channel =
-                    tonic::transport::Channel::from_shared(config.grpc_url.to_string())
-                        .expect("this is a valid address")
-                        .connect()
-                        .await?;
+                let proxy_channel = ViewServer::get_pd_channel(config.grpc_url.clone()).await?;
 
                 let app_query_proxy = AppQueryProxy(proxy_channel.clone());
                 let governance_query_proxy = GovernanceQueryProxy(proxy_channel.clone());

crates/bin/pclientd/src/main.rs

@@ -3,6 +3,7 @@ use std::io::IsTerminal as _;
 
 use anyhow::Result;
 use clap::Parser;
+use rustls::crypto::aws_lc_rs;
 use tracing_subscriber::{prelude::*, EnvFilter};
 
 use pclientd::Opt;
@@ -24,5 +25,11 @@ async fn main() -> Result<()> {
 
     let opt = Opt::parse();
 
+    // Initialize HTTPS support
+    // rustls::crypto::aws_lc_rs::default_provider().install_default();
+    aws_lc_rs::default_provider()
+        .install_default()
+        .expect("failed to initialize rustls support, via aws-lc-rs");
+
     opt.exec().await
 }

crates/bin/pmonitor/Cargo.toml

@@ -31,6 +31,7 @@ penumbra-stake = {workspace = true, default-features = false}
 penumbra-tct = {workspace = true, default-features = false}
 penumbra-view = {workspace = true}
 regex = {workspace = true}
+rustls = {workspace = true}
 serde = {workspace = true, features = ["derive"]}
 serde_json = {workspace = true}
 tokio = {workspace = true, features = ["full"]}

crates/bin/pmonitor/src/main.rs

@@ -20,10 +20,11 @@ use clap::{self, Parser};
 use directories::ProjectDirs;
 use futures::StreamExt;
 use penumbra_asset::STAKING_TOKEN_ASSET_ID;
+use rustls::crypto::aws_lc_rs;
 use std::fs;
 use std::io::IsTerminal as _;
 use std::str::FromStr;
-use tonic::transport::{Channel, ClientTlsConfig};
+use tonic::transport::Channel;
 use tracing_subscriber::{prelude::*, EnvFilter};
 use url::Url;
 use uuid::Uuid;
@@ -86,6 +87,12 @@ fn init_tracing() -> anyhow::Result<()> {
 async fn main() -> Result<()> {
     let opt = Opt::parse();
     init_tracing()?;
+
+    // Initialize HTTPS support
+    aws_lc_rs::default_provider()
+        .install_default()
+        .expect("failed to initialize rustls support, via aws-lc-rs");
+
     tracing::info!(?opt, version = env!("CARGO_PKG_VERSION"), "running command");
     opt.exec().await
 }
@@ -226,21 +233,6 @@ impl Opt {
         compact_block.try_into()
     }
 
-    /// Stolen from pcli
-    pub async fn pd_channel(&self, grpc_url: Url) -> anyhow::Result<Channel> {
-        match grpc_url.scheme() {
-            "http" => Ok(Channel::from_shared(grpc_url.to_string())?
-                .connect()
-                .await?),
-            "https" => Ok(Channel::from_shared(grpc_url.to_string())?
-                .tls_config(ClientTlsConfig::new())?
-                .connect()
-                .await?),
-            other => Err(anyhow::anyhow!("unknown url scheme {other}"))
-                .with_context(|| format!("could not connect to {}", grpc_url)),
-        }
-    }
-
     /// Create wallet given a path and fvk
     pub async fn create_wallet(
         &self,
@@ -403,7 +395,7 @@ impl Opt {
                     ))?)?;
 
                 let mut stake_client = StakeQueryServiceClient::new(
-                    self.pd_channel(pmonitor_config.grpc_url()).await?,
+                    ViewServer::get_pd_channel(pmonitor_config.grpc_url()).await?,
                 );
 
                 // Sync each wallet to the latest block height, check for new migrations, and check the balance.

crates/misc/measure/Cargo.toml

@@ -21,6 +21,7 @@ indicatif = {workspace = true}
 penumbra-compact-block = {workspace = true, default-features = false}
 penumbra-proto = {workspace = true, features = ["rpc"], default-features = true}
 penumbra-view = {workspace = true}
+rustls = {workspace = true}
 serde_json = {workspace = true}
 tokio = {workspace = true, features = ["full"]}
 tonic = {workspace = true, features = ["tls"]}