Add native-tls backend for wasi-tls

.github/workflows/main.yml

@@ -393,6 +393,11 @@ jobs:
               -p wasmtime-c-api --no-default-features
               -p wasmtime-c-api --no-default-features --features wat
               -p wasmtime-c-api --no-default-features --features wasi
+
+          - name: wasmtime-wasi-tls
+            checks: |
+              -p wasmtime-wasi-tls --no-default-features --features rustls
+              -p wasmtime-wasi-tls --no-default-features --features nativetls
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4

Cargo.toml

@@ -234,7 +234,7 @@ wasmtime-wasi-nn = { path = "crates/wasi-nn", version = "35.0.0" }
 wasmtime-wasi-config = { path = "crates/wasi-config", version = "35.0.0" }
 wasmtime-wasi-keyvalue = { path = "crates/wasi-keyvalue", version = "35.0.0" }
 wasmtime-wasi-threads = { path = "crates/wasi-threads", version = "35.0.0" }
-wasmtime-wasi-tls = { path = "crates/wasi-tls", version = "35.0.0" }
+wasmtime-wasi-tls = { path = "crates/wasi-tls", version = "35.0.0", default-features = false }
 wasmtime-wast = { path = "crates/wast", version = "=35.0.0" }
 
 # Internal Wasmtime-specific crates.
@@ -399,6 +399,8 @@ ittapi = "0.4.0"
 libm = "0.2.7"
 tokio-rustls = "0.25.0"
 rustls = "0.22.0"
+tokio-native-tls = "0.3.1"
+native-tls = "0.2.11"
 webpki-roots = "0.26.0"
 itertools = "0.14.0"
 base64 = "0.22.1"
@@ -437,6 +439,7 @@ default = [
   "wasi-config",
   "wasi-keyvalue",
   "wasi-tls",
+  "wasi-tls-rustls",
 
   # Most features of Wasmtime are enabled by default.
   "wat",
@@ -477,6 +480,7 @@ trace-log = ["wasmtime/trace-log"]
 memory-protection-keys = ["wasmtime-cli-flags/memory-protection-keys"]
 profile-pulley = ["wasmtime/profile-pulley"]
 component-model-async = ["wasmtime-cli-flags/component-model-async", "component-model"]
+wasi-tls-nativetls = ["wasi-tls", "wasmtime-wasi-tls/nativetls"]
 
 # This feature, when enabled, will statically compile out all logging statements
 # throughout Wasmtime and its dependencies.
@@ -489,6 +493,7 @@ disable-logging = ["log/max_level_off", "tracing/max_level_off"]
 # the internal mapping for what they enable in Wasmtime itself.
 wasi-nn = ["dep:wasmtime-wasi-nn"]
 wasi-tls = ["dep:wasmtime-wasi-tls"]
+wasi-tls-rustls = ["wasi-tls", "wasmtime-wasi-tls/rustls"]
 wasi-threads = ["dep:wasmtime-wasi-threads", "threads"]
 wasi-http = ["component-model", "dep:wasmtime-wasi-http", "dep:tokio", "dep:hyper"]
 wasi-config = ["dep:wasmtime-wasi-config"]

crates/cli-flags/src/lib.rs

@@ -438,6 +438,8 @@ wasmtime_option_group! {
         pub tcplisten: Vec<String>,
         /// Enable support for WASI TLS (Transport Layer Security) imports (experimental)
         pub tls: Option<bool>,
+        /// Which TLS provider to use for the wasi-tls interface. Either `rustls` or `nativetls`.
+        pub tls_provider: Option<String>,
         /// Implement WASI Preview1 using new Preview2 implementation (true, default) or legacy
         /// implementation (false)
         pub preview2: Option<bool>,

crates/test-programs/src/bin/tls_sample_application.rs

@@ -7,8 +7,9 @@ use test_programs::wasi::tls::types::ClientHandshake;
 const PORT: u16 = 443;
 
 fn test_tls_sample_application(domain: &str, ip: IpAddress) -> Result<()> {
-    let request =
-        format!("GET / HTTP/1.1\r\nHost: {domain}\r\nUser-Agent: wasmtime-wasi-rust\r\n\r\n");
+    let request = format!(
+        "GET / HTTP/1.1\r\nHost: {domain}\r\nUser-Agent: wasmtime-wasi-rust\r\nConnection: close\r\n\r\n"
+    );
 
     let net = Network::default();
 
@@ -25,13 +26,13 @@ fn test_tls_sample_application(domain: &str, ip: IpAddress) -> Result<()> {
     tls_output
         .blocking_write_util(request.as_bytes())
         .context("writing http request failed")?;
-    client_connection
-        .blocking_close_output(&tls_output)
-        .context("closing tls connection failed")?;
-    socket.shutdown(ShutdownType::Send)?;
     let response = tls_input
         .blocking_read_to_end()
         .context("reading http response failed")?;
+    client_connection
+        .blocking_close_output(&tls_output)
+        .context("closing tls connection failed")?;
+    socket.shutdown(ShutdownType::Both)?;
 
     if String::from_utf8(response)?.contains("HTTP/1.1 200 OK") {
         Ok(())
@@ -55,7 +56,7 @@ fn test_tls_invalid_certificate(_domain: &str, ip: IpAddress) -> Result<()> {
 
     match ClientHandshake::new(BAD_DOMAIN, tcp_input, tcp_output).blocking_finish() {
         // We're expecting an error regarding the "certificate" is some form or
-        // another. When we add more TLS backends other than rustls, this naive
+        // another. When we add more TLS backends this naive
         // check will likely need to be revisited/expanded:
         Err(e) if e.to_debug_string().contains("certificate") => Ok(()),
 

crates/wasi-tls/Cargo.toml

@@ -11,20 +11,29 @@ description = "Wasmtime implementation of the wasi-tls API"
 [lints]
 workspace = true
 
+[features]
+default = ["rustls"]
+rustls = ["dep:rustls", "dep:tokio-rustls", "dep:webpki-roots"]
+nativetls = ["dep:native-tls", "dep:tokio-native-tls"]
+
 [dependencies]
 anyhow = { workspace = true }
 bytes = { workspace = true }
 tokio = { workspace = true, features = [
     "net",
     "rt-multi-thread",
     "time",
+    "io-util",
 ] }
 wasmtime = { workspace = true, features = ["runtime", "component-model"] }
 wasmtime-wasi = { workspace = true }
-tokio-rustls = { workspace = true }
-rustls = { workspace = true }
-webpki-roots = { workspace = true }
+cfg-if = { workspace = true }
 
+tokio-rustls = { workspace = true, optional = true }
+rustls = { workspace = true, optional = true }
+webpki-roots = { workspace = true, optional = true }
+tokio-native-tls = { workspace = true, optional = true }
+native-tls = { workspace = true, optional = true }
 
 [dev-dependencies]
 test-programs-artifacts = { workspace = true }

crates/wasi-tls/src/bindings.rs

@@ -0,0 +1,21 @@
+//! Auto-generated bindings.
+
+#[expect(missing_docs, reason = "bindgen-generated code")]
+mod generated {
+    wasmtime::component::bindgen!({
+        path: "wit",
+        world: "wasi:tls/imports",
+        with: {
+            "wasi:io": wasmtime_wasi::p2::bindings::io,
+            "wasi:tls/types/client-connection": crate::HostClientConnection,
+            "wasi:tls/types/client-handshake": crate::HostClientHandshake,
+            "wasi:tls/types/future-client-streams": crate::HostFutureClientStreams,
+        },
+        trappable_imports: true,
+        async: {
+            only_imports: [],
+        }
+    });
+}
+
+pub use generated::wasi::tls::*;