The goal of the TransparentConfigAcceptor is to support an SNI-based
reverse-proxy, where the server reads the SNI and then transparently
forwards the entire TLS session, ClientHello included, to a backend
server, without terminating the TLS session itself.
This isn't possible with the current LazyConfigAcceptor, which only
allows you to pick a different ServerConfig depending on the SNI, but
will always terminate the session.
The TransparentConfigAcceptor will buffer all bytes read from the
connection (the ClientHello) internally, and then replay them if the
user decides they want to hijack the connection.
The TransparentConfigAcceptor supports all functionality that the
LazyConfigAcceptor does, but due to the internal buffering of the
ClientHello I did not want to add it to the LazyConfigAcceptor, since
it's possible someone wouldn't want to incur that extra cost.
* add: take_io method to LazyConfigAcceptor
The `take_io` method can be used to take back ownership of the client IO stream when an error occurs
during clientHello handshake.
An example of this is when a client tries to connect to an TLS socket expecting it to be plain text
connection. In this case take_io can be used to send a 400 response, "The plain HTTP request was
sent to HTTPS port", back to the client.
* rename test lazy_config_acceptor_take_io
* deps: update to rustls 0.21.0.
This commit updates tokio-rustls to use the freshly released Rustls
0.21.0 release tag, and the rustls-webpki fork of webpki.
* tests: improve server wait in early data test.
Previously the `test_0rtt` test had a hardcoded 1s sleep waiting for an
`openssl s_server` process to become ready.
If 1s waiting wasn't long enough, the test could fail with an error
like:
```
Error: Os { code: 10061, kind: ConnectionRefused, message: "No
connection could be made because the target machine actively refused
it." }
```
This commit replaces the hardcoded sleep with a sleep loop that
gradually increases the delay time up to a fixed maximum. This makes the
test run faster when the server is ready quickly and prevents an error
if it takes longer than 1s to stabilize.
* version: 0.23.4 -> 0.24.0
* Fix domain name in early-data test
* Run early data test in CI
* Add missing wake call
* Workaround: write to OpenSSL's input
This is necessary to work around an issue that only appears on Windows.
* Don't rerun other tests in CI
* implement AsRawFd for both tokio-rustls and tokio-native-tls TlsStream<S>
* implement windows' AsRawHandle
* typo in cfg(windows)
* use RawSocket, not RawHandle
* implement AsRawFd & AsRawSocket for tokio_rustls::client::TlsStream and tokio_rustls::TlsStream enum
* update to rustls 0.20
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* track simple renamings in rustls
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* use reader/writer methods
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* fix find and replace
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* use rustls-pemfile crate for pem file parsing
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* update misc api breakage
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* update client example with api changes
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* update server example with new APIs
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* update test_stream test
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* update tests to use new APIs
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* rm unused imports
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* handle rustls `WouldBlock` on eof
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* expect rustls to return wouldblock in tests
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* i think this is *actually* the right EOF behavior
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* bump version
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* okay that seems to fix it
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* update to track builder API changes
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* actually shutdown read side on close notify
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* Further updates to rustls 0.20 (#68)
* Adapt to RootCertStore API changes
* Handle UnexpectedEof errors
* Rename would_block to io_pending
* Try to make badssl test failures more verbose
* Rebuild AsyncRead impl
* Upgrade to current rustls
* Revert to using assert!()
* Update to rustls 0.20
* Forward rustls features
Co-authored-by: Dirkjan Ochtman <dirkjan@ochtman.nl>
* native-tls: fix use of non-fmt panic in tests
* fix some misc. clippy lints
This branch fixes a number of lints. The most important one was the use
of a non-`format_args!` expression in a `panic!` macro, which generates
a compiler warning in recent Rust toolchains, which is breaking the CI
`cargo check` run on PR #64.
While I was here, I also fixed some miscellaneous Clippy lints, mostly
in tests. These include:
* Use of `clone()` on `SocketAddr`s (which implement `Copy`)
* Unnecessary single-path-segment imports (which probably used to be
`extern crate`s in earlier Rust?)
* `'static` lifetimes in `const` type annotations (`const`s always have
the `'static` lifetime)
None of these were breaking the build on CI, but I figured I'd address
them while I was fixing other lints.
Signed-off-by: Eliza Weisman <eliza@buoyant.io>