Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make TLS ciphersuites configurable #887

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Make TLS ciphersuites configurable #887

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
9 changes: 9 additions & 0 deletions src/server.rs
View file
Open in desktop
Expand Up @@ -12,6 +12,8 @@ use hyper::server::conn::AddrIncoming;
use hyper::service::{make_service_fn, service_fn};
use hyper::Server as HyperServer;
use tokio::io::{AsyncRead, AsyncWrite};
#[cfg(feature = "tls")]
use tokio_rustls::rustls::SupportedCipherSuite;
use tracing::Instrument;

use crate::filter::Filter;
Expand Down Expand Up @@ -490,6 +492,13 @@ where
self.with_tls(|tls| tls.ocsp_resp(resp.as_ref()))
}

/// Specify the ciphersuites to use in preference order.
///
/// *This function requires the `"tls"` feature.*
pub fn ciphersuites(self, ciphersuites: impl AsRef<[&'static SupportedCipherSuite]>) -> Self {
self.with_tls(|tls| tls.ciphersuites(ciphersuites.as_ref()))
}

fn with_tls<Func>(self, func: Func) -> Self
where
Func: FnOnce(TlsConfigBuilder) -> TlsConfigBuilder,
Expand Down
13 changes: 11 additions & 2 deletions src/tls.rs
View file
Open in desktop
Expand Up @@ -15,7 +15,7 @@ use hyper::server::conn::{AddrIncoming, AddrStream};
use crate::transport::Transport;
use tokio_rustls::rustls::{
AllowAnyAnonymousOrAuthenticatedClient, AllowAnyAuthenticatedClient, NoClientAuth,
RootCertStore, ServerConfig, TLSError,
RootCertStore, ServerConfig, SupportedCipherSuite, TLSError, ALL_CIPHERSUITES,
};

/// Represents errors that can occur building the TlsConfig
Expand Down Expand Up @@ -65,6 +65,7 @@ pub(crate) struct TlsConfigBuilder {
key: Box<dyn Read + Send + Sync>,
client_auth: TlsClientAuth,
ocsp_resp: Vec<u8>,
ciphersuites: Vec<&'static SupportedCipherSuite>,
}

impl std::fmt::Debug for TlsConfigBuilder {
Expand All @@ -81,6 +82,7 @@ impl TlsConfigBuilder {
cert: Box::new(io::empty()),
client_auth: TlsClientAuth::Off,
ocsp_resp: Vec::new(),
ciphersuites: ALL_CIPHERSUITES.to_vec(),
}
}

Expand Down Expand Up @@ -166,6 +168,12 @@ impl TlsConfigBuilder {
self
}

/// sets the ciphersuites in preference order
pub(crate) fn ciphersuites(mut self, ciphersuites: &[&'static SupportedCipherSuite]) -> Self {
self.ciphersuites = Vec::from(ciphersuites);
self
}

pub(crate) fn build(mut self) -> Result<ServerConfig, TlsConfigError> {
let mut cert_rdr = BufReader::new(self.cert);
let cert = tokio_rustls::rustls::internal::pemfile::certs(&mut cert_rdr)
Expand Down Expand Up @@ -225,7 +233,8 @@ impl TlsConfigBuilder {
}
};

let mut config = ServerConfig::new(client_auth);
let ciphersuites = self.ciphersuites.as_ref();
let mut config = ServerConfig::with_ciphersuites(client_auth, ciphersuites);
config
.set_single_cert_with_ocsp_and_sct(cert, key, self.ocsp_resp, Vec::new())
.map_err(|err| TlsConfigError::InvalidKey(err))?;
Expand Down