We found that we need to interact with servers that are not up-to-date, and thus require us to enable unsafe legacy renegotiation to be able to interact with them.
Of course, in the ideal world the services would update, but that's not in our hands.
To do that today, because it's impossible to configure the SslContext for each connection individually, we must enable the option globally system-wide via OPENSSL_CONF variable, roughly as shown here. This is clearly somewhat bad, since it opens the vulnerability to all the connections, and not just the ones that actually need it.
Would it be possible to allow further SslContext configuration? I realize that rather breaks the abstraction of the library by exposing such details in the config, but maybe you see a way to do it that's not too terrible? Behind a feature-flag or similar?
If that's not possible, the only alternative I can quickly come up with, is keeping an internal fork of the rust-native-tls crate and patching that workspace-wide. This is definitely not something I'd like to do, if at all possible.
The platform-specific backends are intentionally not exposed by this library. If you want to use OpenSSL APIs specifically, you may want to just use the openssl crate directly.
Hi,
We found that we need to interact with servers that are not up-to-date, and thus require us to enable unsafe legacy renegotiation to be able to interact with them.
Of course, in the ideal world the services would update, but that's not in our hands.
To do that today, because it's impossible to configure the
SslContext
for each connection individually, we must enable the option globally system-wide viaOPENSSL_CONF
variable, roughly as shown here. This is clearly somewhat bad, since it opens the vulnerability to all the connections, and not just the ones that actually need it.Would it be possible to allow further
SslContext
configuration? I realize that rather breaks the abstraction of the library by exposing such details in the config, but maybe you see a way to do it that's not too terrible? Behind a feature-flag or similar?If that's not possible, the only alternative I can quickly come up with, is keeping an internal fork of the
rust-native-tls
crate and patching that workspace-wide. This is definitely not something I'd like to do, if at all possible.Thanks!