Async TLS for the Tokio runtime
Go to file
Brian Picciano 18fd688b33 Implement TransparentConfigAcceptor
The goal of the TransparentConfigAcceptor is to support an SNI-based
reverse-proxy, where the server reads the SNI and then transparently
forwards the entire TLS session, ClientHello included, to a backend
server, without terminating the TLS session itself.

This isn't possible with the current LazyConfigAcceptor, which only
allows you to pick a different ServerConfig depending on the SNI, but
will always terminate the session.

The TransparentConfigAcceptor will buffer all bytes read from the
connection (the ClientHello) internally, and then replay them if the
user decides they want to hijack the connection.

The TransparentConfigAcceptor supports all functionality that the
LazyConfigAcceptor does, but due to the internal buffering of the
ClientHello I did not want to add it to the LazyConfigAcceptor, since
it's possible someone wouldn't want to incur that extra cost.
2023-07-24 18:46:36 +02:00
.github/workflows Trigger CI run on push to main 2023-06-12 10:25:33 +01:00
examples Move tokio-rustls to top level 2023-05-31 17:09:52 +02:00
scripts Move tokio-rustls to top level 2023-05-31 17:09:52 +02:00
src Implement TransparentConfigAcceptor 2023-07-24 18:46:36 +02:00
tests Merge branch 'master' for take_io() 2023-06-06 09:23:44 +02:00
.gitignore Auto-generate TLS server certificate for unix platform (#8) 2020-04-03 10:16:23 -04:00
Cargo.toml Update MSRV to 1.60 and test it 2023-06-12 10:25:33 +01:00
LICENSE-APACHE Move tokio-rustls to top level 2023-05-31 17:09:52 +02:00
LICENSE-MIT Move tokio-rustls to top level 2023-05-31 17:09:52 +02:00
README.md Update links in README 2023-05-31 17:09:52 +02:00

tokio-rustls

github actions crates license license docs.rs

Asynchronous TLS/SSL streams for Tokio using Rustls.

Basic Structure of a Client

use std::sync::Arc;
use tokio::net::TcpStream;
use tokio_rustls::rustls::{ClientConfig, OwnedTrustAnchor, RootCertStore, ServerName};
use tokio_rustls::TlsConnector;

// ...

let mut root_cert_store = RootCertStore::empty();
root_cert_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
    OwnedTrustAnchor::from_subject_spki_name_constraints(
        ta.subject,
        ta.spki,
        ta.name_constraints,
    )
}));
let config = ClientConfig::builder()
    .with_safe_defaults()
    .with_root_certificates(root_cert_store)
    .with_no_client_auth();
let connector = TlsConnector::from(Arc::new(config));
let dnsname = ServerName::try_from("www.rust-lang.org").unwrap();

let stream = TcpStream::connect(&addr).await?;
let mut stream = connector.connect(dnsname, stream).await?;

// ...

Client Example Program

See examples/client. You can run it with:

cd examples/client
cargo run -- hsts.badssl.com

Server Example Program

See examples/server. You can run it with:

cd examples/server
cargo run -- 127.0.0.1:8000 --cert mycert.der --key mykey.der

License & Origin

This project is licensed under either of

at your option.

This started as a fork of tokio-tls.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in tokio-rustls by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.