Comments (12)
Not just error handling, the server example can only accept one connection at a time, if you have a resolver that requires some time to complete and you have two connections, the second one will get stuck, essentially this means we cannot do tls verification with acme, I have solve this by using the TlsAcceptor
in warp.
from hyper-rustls.
@Parth Sure. Here is a self-contained compiling example. Maybe this could be massaged into the example this issue is asking for. It's just that I'm not using hyper-rustls
to do it.
https://gist.github.com/mikedilger/589f616a2ca607ad1daed278042c1bb8
from hyper-rustls.
This is a possible solution so that the server doesn't error out on a failed tls connection. I'll try to add some for of this to the example to help others trying to do the same thing.
let tls_acceptor = &TlsAcceptor::from(tls_cfg);
// Prepare a long-running future stream to accept and serve cients.
let incoming_tls_stream = tcp
.incoming()
.filter_map(move |s| async move {
let client = match s {
Ok(x) => x,
Err(e) => {
println!("Failed to accept a client, should probably back off");
return Some(Err(e));
}
};
match tls_acceptor.accept(client).await {
Ok(x) => Some(Ok(x)),
Err(e) => {
println!("[!] Voluntary server halt due to client-connection error...: {}", e);
None
}
}
})
.boxed();
from hyper-rustls.
I have solve this by using the
TlsAcceptor
in warp.
FYI: While the TlsAcceptor
and TlsStream
in warp do avoid both of these issues, they are designed in a way that presents another issue. At the time a handler future is created, the warp TlsStream
wrapper is still in Handshaking state. So your handler cannot get access to any SSL info (sni hostname, client certificates, etc). It goes to Streaming via AsyncRead
/AsyncWrite
events.
from hyper-rustls.
@ctz would you be the right person to nudge regarding this?
from hyper-rustls.
@mikedilger in what situation would I want that info?
I read a bit and it seems to be for instances where multiple dns entries point to the same application. So I could, within my application serve a different certificate based on what the client is trying to do.
And I would only be interested in client certificates if I was trying to do mTLS.
Is my understanding correct? If I'm not trying to do either of those things, am I free to use warp for in-process tls processing?
from hyper-rustls.
@Parth Using a warp filter, you can get the host Authority, which it gets either from the Host header or the target URI. It doesn't look at the SNI hostname (afaik). The SNI hostname is for SSL establishment, certificate selection, and not really needed outside of SSL generally. But it would be interesting if the SNI hostname didn't match the HTTP Authority, in which case I would like to detect that and refuse service. I was also more interested in low-level SSL details for curiosity sake and testing of clients to see what they negotiated. For that I ended up using hyper directly and coded the asynchronous handling manually rather than using Service and MakeService traits. Under that paradigm I get everything I want and I understand it a lot better.
from hyper-rustls.
@mikedilger is there a way I could study your implementation?
from hyper-rustls.
FYI, I think #147 fixes this issue.
from hyper-rustls.
+1 from me.
I tried to create a server both by trying to port the example server from the repo to an actual bin project and by trying to reproduce the example server from the docs.
In both cases I had errors that I did not manage to resolve. Some of them are related to the various crate versions for sure, but overall creating a server from the docs seems quite unfeasible.
from hyper-rustls.
Please be more concrete about the issues you ran into (ideally with specific errors).
from hyper-rustls.
I managed to make the docs example server run. The problems were crate versions related. I managed to make it run with the following crate versions:
[dependencies]
hyper = { version = "0.14.27", features = ["full"] }
hyper-rustls = "0.24.2"
rustls = { version = "0.21.10", features = ["default"] }
tokio = { version = "1.35.0", features = ["full"] }
rustls-pemfile = { version = "1.0.4", features = [] }
Maybe the crate versions that the current example needs should be added as a comment at the top of the code example?
I believe it would be very helpful.
PS: The example server from the GitHub repo gives errors like:
error[E0308]: arguments to this method are incorrect
--> src/main.rs:94:10
|
94 | .with_single_cert(certs, key)
| ^^^^^^^^^^^^^^^^ --- expected `PrivateKey`, found `PrivateKeyDer<'_>`
|
note: expected `Vec<Certificate>`, found `Vec<CertificateDer<'_>>`
--> src/main.rs:94:27
|
94 | .with_single_cert(certs, key)
| ^^^^^
= note: expected struct `Vec<rustls::key::Certificate>`
found struct `Vec<CertificateDer<'_>>`
I believe they are crate versions related too. For example, the docs example needs rustls-pemfile 1.0.4, whereas the GitHub example needs rustls-pemfile 2.
Overall, I think that the dependencies that each example needs should be stated somehow clearly, to avoid errors and confusion.
from hyper-rustls.
Related Issues (20)
- More elaborate custom server name HOT 1
- Cannot access peer certificates with example's TlsStream HOT 7
- `HttpsConnectorBuilder::enable_all_versions` doesn't enable ALPN for http/1.1 HOT 1
- Release TLSAcceptor HOT 2
- example of client with mutual tls HOT 3
- When used with a specified request the body is not decrypted HOT 2
- Getting ip address of connection HOT 1
- Creating an HTTPS connection using `HttpsConnectorBuilder` does not allow you to obtain the website's URL. HOT 1
- Hyper v1 compatibility HOT 12
- Release with rustls 0.22 support? HOT 5
- Release 0.25.0 without hyper 1 support? HOT 1
- Prepare v0.25 release, update to Rustls v0.22 HOT 5
- Prepare v0.26 release, update to Hyper 1.0 HOT 8
- v0.26 server example error: failed to serve connection: error shutting down connection HOT 2
- Add support for providing HttpConnector HOT 3
- Rust minimum version should be updated HOT 4
- 0.23.2 of rusttls HOT 3
- Expose feature flag to enable FIPS compliant build of AWS-LC. HOT 1
- Latest version (0.27.1) fails to build for `docs.rs` HOT 2
- wrong feature name for webpki? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hyper-rustls.