Async TLS for the Tokio runtime

Go to file

Brian Picciano 18fd688b33 Implement TransparentConfigAcceptor The goal of the TransparentConfigAcceptor is to support an SNI-based reverse-proxy, where the server reads the SNI and then transparently forwards the entire TLS session, ClientHello included, to a backend server, without terminating the TLS session itself. This isn't possible with the current LazyConfigAcceptor, which only allows you to pick a different ServerConfig depending on the SNI, but will always terminate the session. The TransparentConfigAcceptor will buffer all bytes read from the connection (the ClientHello) internally, and then replay them if the user decides they want to hijack the connection. The TransparentConfigAcceptor supports all functionality that the LazyConfigAcceptor does, but due to the internal buffering of the ClientHello I did not want to add it to the LazyConfigAcceptor, since it's possible someone wouldn't want to incur that extra cost.		2023-07-24 18:46:36 +02:00
.github/workflows	Trigger CI run on push to main	2023-06-12 10:25:33 +01:00
examples	Move tokio-rustls to top level	2023-05-31 17:09:52 +02:00
scripts	Move tokio-rustls to top level	2023-05-31 17:09:52 +02:00
src	Implement TransparentConfigAcceptor	2023-07-24 18:46:36 +02:00
tests	Merge branch 'master' for take_io()	2023-06-06 09:23:44 +02:00
.gitignore	Auto-generate TLS server certificate for unix platform (#8 )	2020-04-03 10:16:23 -04:00
Cargo.toml	Update MSRV to 1.60 and test it	2023-06-12 10:25:33 +01:00
LICENSE-APACHE	Move tokio-rustls to top level	2023-05-31 17:09:52 +02:00
LICENSE-MIT	Move tokio-rustls to top level	2023-05-31 17:09:52 +02:00
README.md	Update links in README	2023-05-31 17:09:52 +02:00

README.md

tokio-rustls

Asynchronous TLS/SSL streams for Tokio using Rustls.

Basic Structure of a Client

use std::sync::Arc;
use tokio::net::TcpStream;
use tokio_rustls::rustls::{ClientConfig, OwnedTrustAnchor, RootCertStore, ServerName};
use tokio_rustls::TlsConnector;

// ...

let mut root_cert_store = RootCertStore::empty();
root_cert_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
    OwnedTrustAnchor::from_subject_spki_name_constraints(
        ta.subject,
        ta.spki,
        ta.name_constraints,
    )
}));
let config = ClientConfig::builder()
    .with_safe_defaults()
    .with_root_certificates(root_cert_store)
    .with_no_client_auth();
let connector = TlsConnector::from(Arc::new(config));
let dnsname = ServerName::try_from("www.rust-lang.org").unwrap();

let stream = TcpStream::connect(&addr).await?;
let mut stream = connector.connect(dnsname, stream).await?;

// ...

Client Example Program

See examples/client. You can run it with:

cd examples/client
cargo run -- hsts.badssl.com

Server Example Program

See examples/server. You can run it with:

cd examples/server
cargo run -- 127.0.0.1:8000 --cert mycert.der --key mykey.der

License & Origin

This project is licensed under either of

Apache License, Version 2.0, (LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0)
MIT license (LICENSE-MIT or https://opensource.org/licenses/MIT)

at your option.

This started as a fork of tokio-tls.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in tokio-rustls by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.