examples: add server_acceptor example.#1402
Conversation
| [patch.crates-io] | ||
| # TODO(XXX): Remove this once rcgen has cut a release w/ CRL support included. Only used in examples. | ||
| rcgen = { git = 'https://github.com/est31/rcgen.git' } |
There was a problem hiding this comment.
It might be worth pinging the upstream to cut a release to avoid this.
I've been holding off on that only because I'm hoping to add support for the cert CRL distribution point and CRL issuing distribution point extensions first.
I might be able to find time to work on that ~today, but perhaps it shouldn't block a release either way?
There was a problem hiding this comment.
I might be able to find time to work on that ~today, but perhaps it shouldn't block a release either way?
Depends on whether those changes would need to be semver-breaking.
There was a problem hiding this comment.
I think it can be done w/o breaking semver for the cert CRL distrib point because the CertificateParams struct is non-exhaustive.
For the CRL issuing distribution point I think it will need to be breaking, I didn't mark the CertificateRevocationListParams struct as non-exhaustive (in retrospect, an oversight).
4f9d3a4 to
5644f3b
Compare
Codecov Report
@@ Coverage Diff @@
## main #1402 +/- ##
=======================================
Coverage 96.33% 96.33%
=======================================
Files 66 66
Lines 14860 14860
=======================================
Hits 14316 14316
Misses 544 544
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
This example has two main purposes: 1. It shows how to use the `Acceptor` API to customize a `ServerConfig` per-connection, possibly using information from the received `ClientHello`. 2. It shows how to load CRL information per-connection to ensure the freshest CRL content is used when validating client certificate revocation status. Additionally this example uses `rcgen` to generate its own test PKI, potentially being a helpful reference for folks that want to do similar without needing to manually construct certs with `openssl`. To simulate CRL updates this example program spawns a background thread that periodically replaces the CRL content, flipping back and forth between a CRL that lists the client certificate as revoked, and a CRL that has no revoked certificates. Using `tlsclient-mio` (or another TLS client program) with the generated client certificate/key you can observe the CRL updates happening by connecting to the server, waiting a little bit, and then connecting again. The result will differ based on the CRL update: ``` $ cargo run --bin tlsclient-mio -- --auth-certs ./client-cert.pem --auth-key ./client-key.pem --cafile ca-cert.pem --port 4443 --http localhost TLS error: AlertReceived(CertificateRevoked) Connection closed <waiting> $ cargo run --bin tlsclient-mio -- --auth-certs ./client-cert.pem --auth-key ./client-key.pem --cafile ca-cert.pem --port 4443 --http localhost EOF Connection closed ```
5644f3b to
9107021
Compare
Description
This branch resolves #1361 by adding an example of using the
AcceptorAPI to provide up-to-date CRL information per-connection.server: fix acceptor rustdoc typo.
Small typo fix.
examples: add server_acceptor example.
This example has two main purposes:
AcceptorAPI to customize aServerConfigper-connection, possibly using information from the receivedClientHello.Additionally this example uses
rcgento generate its own test PKI (and CRLs), potentially being a helpful reference for folks that want to do similar without needing to manually construct certs withopenssl.To simulate CRL updates this example program spawns a background thread that periodically replaces the CRL content, flipping back and forth between a CRL that lists the client certificate as revoked, and a CRL that has no revoked certificates.
Using
tlsclient-mio(or another TLS client program) with the generated client certificate/key you can observe the CRL updates happening by connecting to the server, waiting a little bit, and then connecting again. The result will differ based on the CRL update: