Remove dependency on preinstalled OpenSSL

Recently, one of my projects failed on Travis. This was because Travis still uses Ubuntu Xenial (16.04) as their default build environment, and the prebuilt Zola executable from GitHub releases uses another version of OpenSSL as the build environment provides. This is somewhat contrary to the batteries-included approach of Zola.

This is why I am proposing to change this dependency. It is coming from reqwest, which offers the following cargo features:

  • default-tls: Uses native-tls, default and currently used by Zola.
  • default-tls-vendored: Uses native-tls/vendored, which builds the SSL library from source, removing the runtime dependency.
  • rustls-tls: Uses Rustls, which also eliminates runtime dependencies.

Maybe one could just offer all these features itself in Zola, or a selection.

Rustls does not support as many encryption protocols as the native SSL libraries, so it may not be suitable when the linkchecker tries to reach a site that still uses outdated encryption.

Either way, at least the GitHub releases binaries should be as portable as possible, which would be achieved using one of the last two options.

Any idea how often the outdated encryption protocols not supported by Rustls are seen in the wild? With default-tls-vendored it sounds like users would have to have the environment setup to build OpenSSL, which might be tricky.

Here are some statistics. I can say from my own experience that I had to switch to native-tls in a personal project, because it involved a not very up-to-date webserver. It would be too risky to reject all outdated websites by default.

As for the native-tls-vendored, there should nothing more to be setup than a C compiler, which you already need when you compile Zola (see sass-rs, which builds libsass). The build script of native-tls takes care of everything else. It would not make building Zola anything different.

Maybe the following would be a good setup: Expose all three features (native-tls, native-tls-vendored and rustls-tls) and set native-tls-vendored as the default. This way it would truly be batteries-included and everyone still had the choice. For example, package maintainers would probably choose native-tls.