feat: use rustls

This commit is contained in:
Christof Weickhardt 2022-04-13 14:53:37 +00:00 committed by Felipe Noronha
parent 2b5a7cae2d
commit 51e2a0d05b
3 changed files with 63 additions and 12 deletions

View File

@ -19,19 +19,27 @@ include = [
]
[dependencies]
hyper = { version = "0.14", features = ["full"] }
lazy_static = "1.4"
hyper-tls = { version = "0.5", optional = true }
hyper = { version = "0.14.18", features = ["full"] }
hyper-trust-dns = { version = "0.4.2", optional = true, default-features = false, features = ["rustls-webpki", "rustls-http1"] }
lazy_static = "1.4.0"
rand = "0.8.5"
[dev-dependencies]
tokio = { version = "1", features = ["full"] }
futures = "0.3"
async-trait = "0.1"
tokio = { version = "1.17.0", features = ["full"] }
futures = "0.3.21"
async-trait = "0.1.53"
tokio-test = "0.4.2"
test-context = "0.1.3"
tokiotest-httpserver = "0.2.0"
tokiotest-httpserver = "0.2.1"
[features]
https = ["hyper-tls"]
default = ["https"]
https = ["hyper-trust-dns", "dnssec", "hyper-trust-dns/rustls-webpki", "http2"]
doh = ["hyper-trust-dns/dns-over-https-rustls"]
dot = ["hyper-trust-dns/dns-over-rustls"]
dnssec = ["hyper-trust-dns/dnssec-ring"]
http2 = ["hyper/http2", "hyper-trust-dns/rustls-http2"]
https-only = ["hyper-trust-dns/https-only"]
tls-1-2 = ["hyper-trust-dns/rustls-tls-12"]
native-cert-store = ["hyper-trust-dns/rustls-native"]

View File

@ -103,3 +103,35 @@ async fn main() {
}
}
```
### Security
Handling outgoing requests can be a security nightmare. This crate includes some features to reduce some of the risks. Everthing uses `rustls` benieth, a rust implementation for tls, faster and more secure as `openssl`
#### HTTPS
By default the `https` feature is enabled which will allow you to request resources over https. This does not limit to only `https` traffic, if you would like so add the feature `https-only` to your `Cargo.toml` for this crate.
#### TLS 1.2
By default `tls 1.2` is disabled in favor of `tls 1.3`. As not yet all services support it `tls 1.2` can be enabled via the `tls-1-2` feature.
#### DNSSEC
By default if you enable `https` (which is enabled by default) `dnssec` is enabled.
#### HTTP/2
While `http/3` might be just around the corner. `http/2` support can be enabled using the `http2` feature.
#### DoT & DoH
By default none of them are enabled. If you would like to enabled them, you can do so using the features `doh` and `dot`.
Recommendations:
- If you need to monitor network activities in relation to accessed ports, use `dot`
- If you are out in the wild and have no need to monitor based on ports, use `doh` as it will blend in with other `https` traffic
It is highly recommended to use one of them.
> Currently only includes dns queries as `esni` or `ech` is still in draft by the `ietf`

View File

@ -99,11 +99,16 @@
#[cfg(all(not(stable), test))]
extern crate test;
#[cfg(feature = "https")]
use hyper_trust_dns::TrustDnsResolver;
#[cfg(not(feature = "https"))]
use hyper::client::{connect::dns::GaiResolver, HttpConnector};
use hyper::header::{HeaderName, HeaderValue, HOST};
use hyper::header::{HeaderMap, HeaderName, HeaderValue, HOST};
use hyper::http::header::{InvalidHeaderValue, ToStrError};
use hyper::http::uri::InvalidUri;
use hyper::{Body, Client, Error, HeaderMap, Request, Response};
use hyper::{Body, Client, Error, Request, Response};
use lazy_static::lazy_static;
use std::net::IpAddr;
@ -242,6 +247,7 @@ fn create_proxied_request<B>(
let upgrade_type = get_upgrade_type(request.headers());
let uri: hyper::Uri = forward_uri(forward_url, &request).parse()?;
request
.headers_mut()
.insert(HOST, HeaderValue::from_str(uri.host().unwrap())?);
@ -288,8 +294,13 @@ fn create_proxied_request<B>(
}
#[cfg(feature = "https")]
fn build_client() -> Client<hyper_tls::HttpsConnector<HttpConnector<GaiResolver>>, hyper::Body> {
let https = hyper_tls::HttpsConnector::new();
fn build_client() -> Client<hyper_trust_dns::RustlsHttpsConnector, hyper::Body> {
#[cfg(feature = "native-cert-store")]
let https = TrustDnsResolver::default().into_rustls_native_https_connector();
#[cfg(not(feature = "native-cert-store"))]
let https = TrustDnsResolver::default().into_rustls_webpki_https_connector();
Client::builder().build::<_, hyper::Body>(https)
}