Async TLS for the Tokio runtime
18fd688b33
The goal of the TransparentConfigAcceptor is to support an SNI-based reverse-proxy, where the server reads the SNI and then transparently forwards the entire TLS session, ClientHello included, to a backend server, without terminating the TLS session itself. This isn't possible with the current LazyConfigAcceptor, which only allows you to pick a different ServerConfig depending on the SNI, but will always terminate the session. The TransparentConfigAcceptor will buffer all bytes read from the connection (the ClientHello) internally, and then replay them if the user decides they want to hijack the connection. The TransparentConfigAcceptor supports all functionality that the LazyConfigAcceptor does, but due to the internal buffering of the ClientHello I did not want to add it to the LazyConfigAcceptor, since it's possible someone wouldn't want to incur that extra cost. |
||
---|---|---|
.github/workflows | ||
examples | ||
scripts | ||
src | ||
tests | ||
.gitignore | ||
Cargo.toml | ||
LICENSE-APACHE | ||
LICENSE-MIT | ||
README.md |
tokio-rustls
Asynchronous TLS/SSL streams for Tokio using Rustls.
Basic Structure of a Client
use std::sync::Arc;
use tokio::net::TcpStream;
use tokio_rustls::rustls::{ClientConfig, OwnedTrustAnchor, RootCertStore, ServerName};
use tokio_rustls::TlsConnector;
// ...
let mut root_cert_store = RootCertStore::empty();
root_cert_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
OwnedTrustAnchor::from_subject_spki_name_constraints(
ta.subject,
ta.spki,
ta.name_constraints,
)
}));
let config = ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(root_cert_store)
.with_no_client_auth();
let connector = TlsConnector::from(Arc::new(config));
let dnsname = ServerName::try_from("www.rust-lang.org").unwrap();
let stream = TcpStream::connect(&addr).await?;
let mut stream = connector.connect(dnsname, stream).await?;
// ...
Client Example Program
See examples/client. You can run it with:
cd examples/client
cargo run -- hsts.badssl.com
Server Example Program
See examples/server. You can run it with:
cd examples/server
cargo run -- 127.0.0.1:8000 --cert mycert.der --key mykey.der
License & Origin
This project is licensed under either of
- Apache License, Version 2.0, (LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or https://opensource.org/licenses/MIT)
at your option.
This started as a fork of tokio-tls.
Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in tokio-rustls by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.