jsha
commented
2 years ago how can one configure a supported cipher without mentioning the tls protocol version? how can one enable a specific protocol version without being aware which ciphers belong to it?
@kevinburke provided a PR to support default cipher suites by passing NULL in the appropriate position: https://github.com/rustls/rustls-ffi/pull/165. Right now that's blocked on a redesign. Instead of NULL (which isn't clear to the reader of the code what it does), I'd like to have a global constant array RUSTLS_DEFAULT_CIPHER_SUITES and RUSTLS_DEFAULT_CIPHER_SUITES_LEN, so it's clear at the call site. Though perhaps our new rustls_default_cipher_suites_get() could do the same, if we can guarantee that its returned pointers are contiguous in memory (I'd have to check).
We'll also need the same treatment for protocol versions.
how can one enable a certain minimum protocol version without know all available?
I think for this we need to add a list of supported_tls_versions or similar, and guarantee it is in sorted order.
what is the outcome of a cipher and tls version that do not match?
There will be an error returned from rustls_{client,server}_config_builder_new_custom. We should document that. According to https://docs.rs/rustls/0.20.0/src/rustls/builder.rs.html#211-239, the error kind will be "General." We should file an upstream ticket to get a more specific error for that case.
icing
As I see it, the new
rustls_client_config_builder_new_customandrustls_server_config_builder_new_customrequire specification of protocols and ciphersuites and panic if one is NULL.Questions:
Thanks for your help.