Add Opportunistic TLS implementation

reactphp / socket

Async, streaming plaintext TCP/IP and secure TLS socket server and client connections for ReactPHP.

https://reactphp.org/socket/

MIT License

1.2k stars 156 forks source link

Add Opportunistic TLS implementation #302

Open WyriHaximus opened 1 year ago

WyriHaximus commented 1 year ago

This PR introduces the functionality required to build opportunistic TLS clients and servers with ReactPHP. It does so by introducing a prefix to tls://, namely opportunistic, to create opportunistic+tls://example.com:5432 for example as the full URL. This will create an OpportunisticTlsConnectionInterface (instead of a ConnectionInterface) that extends the ConnectionInterface and exposes the enableEncryption method to enable TLS encryption at the desired moment. Inside this PR is an example of a server and client negotiating when to enable TLS and enable it when ready.

Opportunistic Security described in RFC7435: https://www.rfc-editor.org/rfc/rfc7435 External PR using the proposed changes in this PR: https://github.com/voryx/PgAsync/pull/52

WyriHaximus commented 1 year ago

Thanks to a suggestion from @clue I managed to drop the dependency on https://github.com/reactphp/async/pull/65

WyriHaximus commented 1 year ago

I added some remarks and suggestions for the documentation, same suggestions are also important for the doc-blocks inside the added classes.

@SimonFrings Let me know if you have any more pointers? Will apply them to the docblocks later today

WyriHaximus commented 1 year ago

@SimonFrings Updated the doc blocks

WyriHaximus commented 1 year ago

Thanks for updating, texts and the overall code structure are looking fine 👍

:+1:

I am not very experienced when it comes to opportunistic TLS, so I can't really review if this is exactly the way to introduce this to the project, but the rest looks good to me.

The only reason I found out STARTSSL is a flavor of opportunistic TLS is because I started working on https://github.com/voryx/PgAsync/pull/52, did a writedown of the why at https://blog.wyrihaximus.net/2023/01/migrating-from-self-hosted-in-k8s-databases-to-managed-hosted-at-digital-ocean/. That is also why I started with STARTTLS and ended up with opportunistic TLS just providing the barebones to do it and not implement some standard on top of it.

WyriHaximus commented 1 year ago

As discussed, I've extracted this into a package: https://github.com/WyriHaximus/reactphp-opportunistic-tls