pingora_boringssl::ssl

Struct ConnectConfiguration

Source 
pub struct ConnectConfiguration { /* private fields */ }
Expand description

A type which allows for configuration of a client-side TLS session before connection.

Implementations§

Source§

impl ConnectConfiguration

Source

pub fn use_server_name_indication(self, use_sni: bool) -> ConnectConfiguration

A builder-style version of set_use_server_name_indication.

Source

pub fn set_use_server_name_indication(&mut self, use_sni: bool)

Configures the use of Server Name Indication (SNI) when connecting.

Defaults to true.

Source

pub fn verify_hostname(self, verify_hostname: bool) -> ConnectConfiguration

A builder-style version of set_verify_hostname.

Source

pub fn set_verify_hostname(&mut self, verify_hostname: bool)

Configures the use of hostname verification when connecting.

Defaults to true.

§Warning

You should think very carefully before you use this method. If hostname verification is not used, any valid certificate for any site will be trusted for use from any other. This introduces a significant vulnerability to man-in-the-middle attacks.

Source

pub fn into_ssl(self, domain: &str) -> Result<Ssl, ErrorStack>

Returns an Ssl configured to connect to the provided domain.

The domain is used for SNI (if it is not an IP address) and hostname verification if enabled.

Source

pub fn setup_connect<S>( self, domain: &str, stream: S, ) -> Result<MidHandshakeSslStream<S>, ErrorStack>
where S: Read + Write,

Initiates a client-side TLS session on a stream.

The domain is used for SNI (if it is not an IP address) and hostname verification if enabled.

This is a convenience method which combines Self::into_ssl and Ssl::setup_connect.

Source

pub fn connect<S>( self, domain: &str, stream: S, ) -> Result<SslStream<S>, HandshakeError<S>>
where S: Read + Write,

Attempts a client-side TLS session on a stream.

The domain is used for SNI (if it is not an IP address) and hostname verification if enabled.

This is a convenience method which combines Self::setup_connect and MidHandshakeSslStream::handshake.

Methods from Deref<Target = SslRef>§

Source

pub fn set_async_custom_verify_callback<F>( &mut self, mode: SslVerifyMode, callback: F, )
where F: Fn(&mut SslRef) -> Result<Pin<Box<dyn Future<Output = Result<Box<dyn FnOnce(&mut SslRef) -> Result<(), SslAlert>>, SslAlert>> + Send>>, SslAlert> + Send + Sync + 'static,

Source

pub fn set_task_waker(&mut self, waker: Option<Waker>)

Sets the task waker to be used in async callbacks installed on this Ssl.

Source

pub fn set_curves_list(&mut self, curves: &str) -> Result<(), ErrorStack>

This corresponds to SSL_set1_curves_list.

Source

pub fn curve(&self) -> Option<SslCurve>

Returns the SslCurve used for this SslRef.

This corresponds to SSL_get_curve_id.

Source

pub fn error_code(&self, ret: i32) -> ErrorCode

Returns an ErrorCode value for the most recent operation on this SslRef.

This corresponds to SSL_get_error.

Source

pub fn set_verify(&mut self, mode: SslVerifyMode)

Like SslContextBuilder::set_verify.

This corresponds to SSL_set_verify.

Source

pub fn set_verify_depth(&mut self, depth: u32)

Sets the certificate verification depth.

If the peer’s certificate chain is longer than this value, verification will fail.

This corresponds to SSL_set_verify_depth.

Source

pub fn verify_mode(&self) -> SslVerifyMode

Returns the verify mode that was set using set_verify.

This corresponds to SSL_get_verify_mode.

Source

pub fn set_verify_callback<F>(&mut self, mode: SslVerifyMode, callback: F)
where F: Fn(bool, &mut X509StoreContextRef) -> bool + 'static + Sync + Send,

Like SslContextBuilder::set_verify_callback.

Warning: This callback does not replace the default certificate verification process and is, instead, called multiple times in the course of that process. It is very difficult to implement this callback correctly, without inadvertently relying on implementation details or making incorrect assumptions about when the callback is called.

Instead, use SslContextBuilder::set_custom_verify_callback to customize certificate verification. Those callbacks can inspect the peer-sent chain, call X509StoreContextRef::verify_cert and inspect the result, or perform other operations more straightforwardly.

§Panics

This method panics if this Ssl is associated with a RPK context.

This corresponds to SSL_set_verify.

Source

pub fn set_verify_cert_store( &mut self, cert_store: X509Store, ) -> Result<(), ErrorStack>

Sets a custom certificate store for verifying peer certificates.

This corresponds to SSL_set0_verify_cert_store.

Source

pub fn set_custom_verify_callback<F>( &mut self, mode: SslVerifyMode, callback: F, )
where F: Fn(&mut SslRef) -> Result<(), SslVerifyError> + 'static + Sync + Send,

Like SslContextBuilder::set_custom_verify_callback.

§Panics

This method panics if this Ssl is associated with a RPK context.

This corresponds to SSL_set_custom_verify.

Source

pub fn set_tmp_dh(&mut self, dh: &DhRef<Params>) -> Result<(), ErrorStack>

Like SslContextBuilder::set_tmp_dh.

This corresponds to SSL_set_tmp_dh.

Source

pub fn set_tmp_ecdh(&mut self, key: &EcKeyRef<Params>) -> Result<(), ErrorStack>

Like SslContextBuilder::set_tmp_ecdh.

This corresponds to SSL_set_tmp_ecdh.

Source

pub fn set_permute_extensions(&mut self, enabled: bool)

Configures whether ClientHello extensions should be permuted.

This corresponds to SSL_set_permute_extensions.

Note: This is gated to non-fips because the fips feature builds with a separate version of BoringSSL which doesn’t yet include these APIs. Once the submoduled fips commit is upgraded, these gates can be removed.

Source

pub fn set_alpn_protos(&mut self, protocols: &[u8]) -> Result<(), ErrorStack>

Like SslContextBuilder::set_alpn_protos.

This corresponds to SSL_set_alpn_protos.

Source

pub fn ciphers(&self) -> &StackRef<SslCipher>

Returns the stack of available SslCiphers for SSL, sorted by preference.

This corresponds to SSL_get_ciphers.

Source

pub fn current_cipher(&self) -> Option<&SslCipherRef>

Returns the current cipher if the session is active.

This corresponds to SSL_get_current_cipher.

Source

pub fn state_string(&self) -> &'static str

Returns a short string describing the state of the session.

This corresponds to SSL_state_string.

Source

pub fn state_string_long(&self) -> &'static str

Returns a longer string describing the state of the session.

This corresponds to SSL_state_string_long.

Source

pub fn set_hostname(&mut self, hostname: &str) -> Result<(), ErrorStack>

Sets the host name to be sent to the server for Server Name Indication (SNI).

It has no effect for a server-side connection.

This corresponds to SSL_set_tlsext_host_name.

Source

pub fn peer_certificate(&self) -> Option<X509>

Returns the peer’s certificate, if present.

This corresponds to SSL_get_peer_certificate.

Source

pub fn peer_cert_chain(&self) -> Option<&StackRef<X509>>

Returns the certificate chain of the peer, if present.

On the client side, the chain includes the leaf certificate, but on the server side it does not. Fun!

This corresponds to SSL_get_peer_certificate.

Source

pub fn certificate(&self) -> Option<&X509Ref>

Like [SslContext::certificate].

This corresponds to SSL_get_certificate.

Source

pub fn private_key(&self) -> Option<&PKeyRef<Private>>

Like [SslContext::private_key].

This corresponds to SSL_get_privatekey.

Source

pub fn version(&self) -> &str

👎Deprecated since 0.10.5: renamed to version_str
Source

pub fn version2(&self) -> Option<SslVersion>

Returns the protocol version of the session.

This corresponds to SSL_version.

Source

pub fn version_str(&self) -> &'static str

Returns a string describing the protocol version of the session.

This corresponds to SSL_get_version.

Source

pub fn set_min_proto_version( &mut self, version: Option<SslVersion>, ) -> Result<(), ErrorStack>

Sets the minimum supported protocol version.

If version is None, the default minimum version is used. For BoringSSL this defaults to TLS 1.0.

This corresponds to SSL_set_min_proto_version.

Source

pub fn set_max_proto_version( &mut self, version: Option<SslVersion>, ) -> Result<(), ErrorStack>

Sets the maximum supported protocol version.

If version is None, the default maximum version is used. For BoringSSL this is TLS 1.3.

This corresponds to SSL_set_max_proto_version.

Source

pub fn min_proto_version(&mut self) -> Option<SslVersion>

Gets the minimum supported protocol version.

This corresponds to SSL_get_min_proto_version.

Source

pub fn max_proto_version(&self) -> Option<SslVersion>

Gets the maximum supported protocol version.

This corresponds to SSL_get_max_proto_version.

Source

pub fn selected_alpn_protocol(&self) -> Option<&[u8]>

Returns the protocol selected via Application Layer Protocol Negotiation (ALPN).

The protocol’s name is returned is an opaque sequence of bytes. It is up to the client to interpret it.

This corresponds to SSL_get0_alpn_selected.

Source

pub fn set_tlsext_use_srtp(&mut self, protocols: &str) -> Result<(), ErrorStack>

Enables the DTLS extension “use_srtp” as defined in RFC5764.

This corresponds to SSL_set_tlsext_use_srtp.

Source

pub fn srtp_profiles(&self) -> Option<&StackRef<SrtpProtectionProfile>>

Gets all SRTP profiles that are enabled for handshake via set_tlsext_use_srtp

DTLS extension “use_srtp” as defined in RFC5764 has to be enabled.

This corresponds to SSL_get_strp_profiles.

Source

pub fn selected_srtp_profile(&self) -> Option<&SrtpProtectionProfileRef>

Gets the SRTP profile selected by handshake.

DTLS extension “use_srtp” as defined in RFC5764 has to be enabled.

This corresponds to SSL_get_selected_srtp_profile.

Source

pub fn pending(&self) -> usize

Returns the number of bytes remaining in the currently processed TLS record.

If this is greater than 0, the next call to read will not call down to the underlying stream.

This corresponds to SSL_pending.

Source

pub fn servername(&self, type_: NameType) -> Option<&str>

Returns the servername sent by the client via Server Name Indication (SNI).

It is only useful on the server side.

§Note

While the SNI specification requires that servernames be valid domain names (and therefore ASCII), OpenSSL does not enforce this restriction. If the servername provided by the client is not valid UTF-8, this function will return None. The servername_raw method returns the raw bytes and does not have this restriction.

This corresponds to SSL_get_servername.

Source

pub fn servername_raw(&self, type_: NameType) -> Option<&[u8]>

Returns the servername sent by the client via Server Name Indication (SNI).

It is only useful on the server side.

§Note

Unlike servername, this method does not require the name be valid UTF-8.

This corresponds to SSL_get_servername.

Source

pub fn set_ssl_context(&mut self, ctx: &SslContextRef) -> Result<(), ErrorStack>

Changes the context corresponding to the current connection.

It is most commonly used in the Server Name Indication (SNI) callback.

This corresponds to SSL_set_SSL_CTX.

Source

pub fn ssl_context(&self) -> &SslContextRef

Returns the context corresponding to the current connection.

This corresponds to SSL_get_SSL_CTX.

Source

pub fn verify_param_mut(&mut self) -> &mut X509VerifyParamRef

Returns a mutable reference to the X509 verification configuration.

This corresponds to SSL_get0_param.

Source

pub fn param_mut(&mut self) -> &mut X509VerifyParamRef

See Self::verify_param_mut.

Source

pub fn verify_result(&self) -> Result<(), X509VerifyError>

Returns the certificate verification result.

This corresponds to SSL_get_verify_result.

Source

pub fn session(&self) -> Option<&SslSessionRef>

Returns a shared reference to the SSL session.

This corresponds to SSL_get_session.

Source

pub fn client_random(&self, buf: &mut [u8]) -> usize

Copies the client_random value sent by the client in the TLS handshake into a buffer.

Returns the number of bytes copied, or if the buffer is empty, the size of the client_random value.

This corresponds to SSL_get_client_random.

Source

pub fn server_random(&self, buf: &mut [u8]) -> usize

Copies the server_random value sent by the server in the TLS handshake into a buffer.

Returns the number of bytes copied, or if the buffer is empty, the size of the server_random value.

This corresponds to SSL_get_server_random.

Source

pub fn export_keying_material( &self, out: &mut [u8], label: &str, context: Option<&[u8]>, ) -> Result<(), ErrorStack>

Derives keying material for application use in accordance to RFC 5705.

This corresponds to SSL_export_keying_material.

Source

pub unsafe fn set_session( &mut self, session: &SslSessionRef, ) -> Result<(), ErrorStack>

Sets the session to be used.

This should be called before the handshake to attempt to reuse a previously established session. If the server is not willing to reuse the session, a new one will be transparently negotiated.

§Safety

The caller of this method is responsible for ensuring that the session is associated with the same SslContext as this Ssl.

This corresponds to SSL_set_session.

Source

pub fn session_reused(&self) -> bool

Determines if the session provided to set_session was successfully reused.

This corresponds to SSL_session_reused.

Source

pub fn set_status_type(&mut self, type_: StatusType) -> Result<(), ErrorStack>

Sets the status response a client wishes the server to reply with.

This corresponds to SSL_set_tlsext_status_type.

Source

pub fn ocsp_status(&self) -> Option<&[u8]>

Returns the server’s OCSP response, if present.

This corresponds to SSL_get_tlsext_status_ocsp_resp.

Source

pub fn set_ocsp_status(&mut self, response: &[u8]) -> Result<(), ErrorStack>

Sets the OCSP response to be returned to the client.

This corresponds to SSL_set_tlsext_status_ocsp_resp.

Source

pub fn is_server(&self) -> bool

Determines if this Ssl is configured for server-side or client-side use.

This corresponds to SSL_is_server.

Source

pub fn set_ex_data<T>(&mut self, index: Index<Ssl, T>, data: T)

Sets the extra data at the specified index.

This can be used to provide data to callbacks registered with the context. Use the Ssl::new_ex_index method to create an Index.

Note that if this method is called multiple times with the same index, any previous value stored in the SslContextBuilder will be leaked.

This corresponds to SSL_set_ex_data.

Source

pub fn replace_ex_data<T>(&mut self, index: Index<Ssl, T>, data: T) -> Option<T>

Sets or overwrites the extra data at the specified index.

This can be used to provide data to callbacks registered with the context. Use the Ssl::new_ex_index method to create an Index.

Any previous value will be dropped and replaced by the new one.

This corresponds to SSL_set_ex_data.

Source

pub fn ex_data<T>(&self, index: Index<Ssl, T>) -> Option<&T>

Returns a reference to the extra data at the specified index.

This corresponds to SSL_get_ex_data.

Source

pub fn ex_data_mut<T>(&mut self, index: Index<Ssl, T>) -> Option<&mut T>

Returns a mutable reference to the extra data at the specified index.

This corresponds to SSL_get_ex_data.

Source

pub fn finished(&self, buf: &mut [u8]) -> usize

Copies the contents of the last Finished message sent to the peer into the provided buffer.

The total size of the message is returned, so this can be used to determine the size of the buffer required.

This corresponds to SSL_get_finished.

Source

pub fn peer_finished(&self, buf: &mut [u8]) -> usize

Copies the contents of the last Finished message received from the peer into the provided buffer.

The total size of the message is returned, so this can be used to determine the size of the buffer required.

This corresponds to SSL_get_peer_finished.

Source

pub fn is_init_finished(&self) -> bool

Determines if the initial handshake has been completed.

This corresponds to SSL_is_init_finished.

Source

pub fn set_mtu(&mut self, mtu: u32) -> Result<(), ErrorStack>

Sets the MTU used for DTLS connections.

This corresponds to SSL_set_mtu.

Source

pub fn set_certificate(&mut self, cert: &X509Ref) -> Result<(), ErrorStack>

Sets the certificate.

This corresponds to SSL_use_certificate.

Source

pub fn set_client_ca_list(&mut self, list: Stack<X509Name>)

Sets the list of CA names sent to the client.

The CA certificates must still be added to the trust root - they are not automatically set as trusted by this method.

This corresponds to SSL_set_client_CA_list.

Source

pub fn set_private_key<T>(&mut self, key: &PKeyRef<T>) -> Result<(), ErrorStack>
where T: HasPrivate,

Sets the private key.

This corresponds to SSL_use_PrivateKey.

Source

pub fn set_mode(&mut self, mode: SslMode) -> SslMode

Enables all modes set in mode in SSL. Returns a bitmask representing the resulting enabled modes.

This corresponds to SSL_set_mode.

Source

pub fn clear_mode(&mut self, mode: SslMode) -> SslMode

Disables all modes set in mode in SSL. Returns a bitmask representing the resulting enabled modes.

This corresponds to SSL_clear_mode.

Source

pub fn add_chain_cert(&mut self, cert: &X509Ref) -> Result<(), ErrorStack>

Appends cert to the chain associated with the current certificate of SSL.

This corresponds to SSL_add1_chain_cert.

Trait Implementations§

Source§

impl Deref for ConnectConfiguration

Source§

type Target = SslRef

The resulting type after dereferencing.
Source§

fn deref(&self) -> &SslRef

Dereferences the value.
Source§

impl DerefMut for ConnectConfiguration

Source§

fn deref_mut(&mut self) -> &mut SslRef

Mutably dereferences the value.

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.