search

aws / s2n-quic

An implementation of the IETF QUIC protocol
https://crates.io/crates/s2n-quic
Apache License 2.0
1.13k stars 118 forks source link

Default TLS server builder has no with_cert_resolver #2178

Open XeCycle opened 5 months ago

XeCycle commented 5 months ago

Problem:

s2n_quic::provider::tls::default::server::Builder does not have an equivalent of .with_cert_resolver on the rustls counterpart.

In https://github.com/aws/s2n-quic/issues/2173#issuecomment-2038159682:

the best way to have a stable interface to integrate with is to use the TLS provider builders (client and server) that wrap the rustls implementation, rather than the re-exported rustls. If there are configuration options you need that are not provided in these builders, please open an issue and we will be happy to consider adding the functionality.

Solution:

IDK...

Requirements / Acceptance Criteria:

I used the rustls builder to support dynamically updating a rotated certificate, and to choose different certificates based on SNI server name in client hello messages. The current with_cert_resolver is a callback-style API; I'm okay with keeping this style, or we can also introduce a "certificate store" that can be updated and able to contain multiple certificates associated to different domain names. My use case currently does not involve wildcard certificates so a hashmap is enough, but maybe others would need more complex logic.

toidiu commented 5 months ago

@XeCycle We are currently discussing how best we can provide rustls support going forward. Thanks you for your patience and sorry for the inconvenience.

jkalez commented 4 months ago

Similarly, it would be nice to have access to dangerous style things like Rustls exposes, namely custom certificate verifiers. We would like this to support behavior similar to curl -k.

WesleyRosenblum commented 4 months ago

We'll add some documentation on how to work with Rustls in s2n-quic