mirror of
https://gitlab.com/fabinfra/fabaccess/bffh.git
synced 2024-11-22 06:47:56 +01:00
Improve TLS support
This commit is contained in:
parent
c8623fd62b
commit
0531156b9e
68
Cargo.lock
generated
68
Cargo.lock
generated
@ -164,17 +164,6 @@ dependencies = [
|
||||
"winapi",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "async-rustls"
|
||||
version = "0.2.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "9c86f33abd5a4f3e2d6d9251a9e0c6a7e52eb1113caf893dae8429bf4a53f378"
|
||||
dependencies = [
|
||||
"futures-lite",
|
||||
"rustls",
|
||||
"webpki",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "async-task"
|
||||
version = "4.1.0"
|
||||
@ -489,7 +478,6 @@ version = "0.3.2"
|
||||
dependencies = [
|
||||
"async-channel",
|
||||
"async-compat",
|
||||
"async-rustls",
|
||||
"async-trait",
|
||||
"bincode",
|
||||
"capnp",
|
||||
@ -500,6 +488,7 @@ dependencies = [
|
||||
"easy-parallel",
|
||||
"flexbuffers",
|
||||
"futures 0.3.21",
|
||||
"futures-rustls",
|
||||
"futures-signals",
|
||||
"futures-test",
|
||||
"futures-util",
|
||||
@ -511,7 +500,7 @@ dependencies = [
|
||||
"rsasl",
|
||||
"rumqttc",
|
||||
"rust-argon2",
|
||||
"rustls",
|
||||
"rustls 0.20.4",
|
||||
"rustls-pemfile",
|
||||
"serde",
|
||||
"serde_dhall",
|
||||
@ -743,6 +732,17 @@ dependencies = [
|
||||
"syn",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "futures-rustls"
|
||||
version = "0.22.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "d383f0425d991a05e564c2f3ec150bd6dde863179c131dd60d8aa73a05434461"
|
||||
dependencies = [
|
||||
"futures-io",
|
||||
"rustls 0.20.4",
|
||||
"webpki 0.22.0",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "futures-signals"
|
||||
version = "0.3.24"
|
||||
@ -1515,7 +1515,7 @@ dependencies = [
|
||||
"tokio",
|
||||
"tokio-rustls",
|
||||
"url",
|
||||
"webpki",
|
||||
"webpki 0.21.4",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@ -1539,8 +1539,20 @@ dependencies = [
|
||||
"base64",
|
||||
"log",
|
||||
"ring",
|
||||
"sct",
|
||||
"webpki",
|
||||
"sct 0.6.1",
|
||||
"webpki 0.21.4",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "rustls"
|
||||
version = "0.20.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "4fbfeb8d0ddb84706bc597a5574ab8912817c52a397f819e5b614e2265206921"
|
||||
dependencies = [
|
||||
"log",
|
||||
"ring",
|
||||
"sct 0.7.0",
|
||||
"webpki 0.22.0",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@ -1583,6 +1595,16 @@ dependencies = [
|
||||
"untrusted",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "sct"
|
||||
version = "0.7.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4"
|
||||
dependencies = [
|
||||
"ring",
|
||||
"untrusted",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "serde"
|
||||
version = "1.0.136"
|
||||
@ -1966,9 +1988,9 @@ version = "0.22.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6"
|
||||
dependencies = [
|
||||
"rustls",
|
||||
"rustls 0.19.1",
|
||||
"tokio",
|
||||
"webpki",
|
||||
"webpki 0.21.4",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@ -2162,6 +2184,16 @@ dependencies = [
|
||||
"untrusted",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "webpki"
|
||||
version = "0.22.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd"
|
||||
dependencies = [
|
||||
"ring",
|
||||
"untrusted",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "wepoll-ffi"
|
||||
version = "0.1.2"
|
||||
|
@ -71,9 +71,9 @@ easy-parallel = "3.1.0"
|
||||
genawaiter = "0.99.1"
|
||||
|
||||
# TLS
|
||||
rustls = "0.19"
|
||||
rustls = "0.20"
|
||||
rustls-pemfile = "0.2"
|
||||
async-rustls = "0.2"
|
||||
futures-rustls = "0.22.0"
|
||||
|
||||
[build-dependencies]
|
||||
capnpc = "0.14.4"
|
||||
|
@ -7,8 +7,6 @@ use std::future::Future;
|
||||
|
||||
use std::sync::Arc;
|
||||
|
||||
use async_rustls::server::TlsStream;
|
||||
|
||||
use slog::Logger;
|
||||
|
||||
|
||||
@ -17,6 +15,7 @@ use crate::api::Bootstrap;
|
||||
use crate::error::Result;
|
||||
|
||||
use capnp_rpc::{rpc_twoparty_capnp, twoparty};
|
||||
use futures_rustls::server::TlsStream;
|
||||
|
||||
use smol::io::split;
|
||||
|
||||
|
@ -20,8 +20,8 @@ use std::sync::Arc;
|
||||
|
||||
use std::os::unix::io::AsRawFd;
|
||||
use std::path::Path;
|
||||
use async_rustls::TlsAcceptor;
|
||||
use rustls::{Certificate, KeyLogFile, NoClientAuth, PrivateKey, ServerConfig};
|
||||
use futures_rustls::TlsAcceptor;
|
||||
use rustls::{Certificate, KeyLogFile, PrivateKey, ServerConfig};
|
||||
|
||||
use signal_hook::low_level::pipe as sigpipe;
|
||||
|
||||
@ -60,23 +60,30 @@ pub fn serve_api_connections(log: Arc<Logger>, config: Config, db: Databases, nw
|
||||
.collect();
|
||||
info!(log, "Reading private key file");
|
||||
let mut keyfp = BufReader::new(File::open(&config.keyfile)?);
|
||||
let mut tls_config = ServerConfig::new(Arc::new(NoClientAuth));
|
||||
tls_config.key_log = Arc::new(KeyLogFile::new());
|
||||
if let Some(path) = std::env::var_os("SSLKEYLOGFILE") {
|
||||
let path = Path::new(&path);
|
||||
warn!(log, "TLS SECRET LOGGING ENABLED! This will write all connection secrets to file {}!",
|
||||
path.display());
|
||||
}
|
||||
let mut tls_builder = ServerConfig::builder()
|
||||
.with_safe_defaults()
|
||||
.with_no_client_auth()
|
||||
;
|
||||
|
||||
let mut tls_config;
|
||||
match rustls_pemfile::read_one(&mut keyfp)? {
|
||||
Some(rustls_pemfile::Item::PKCS8Key(key) | rustls_pemfile::Item::RSAKey(key)) => {
|
||||
let key = PrivateKey(key);
|
||||
tls_config.set_single_cert(certs, key)?;
|
||||
tls_config = tls_builder.with_single_cert(certs, key)?;
|
||||
}
|
||||
_ => {
|
||||
error!(log, "private key file must contain a PEM-encoded private key");
|
||||
return Ok(());
|
||||
}
|
||||
}
|
||||
|
||||
if let Some(path) = std::env::var_os("SSLKEYLOGFILE") {
|
||||
let path = Path::new(&path);
|
||||
warn!(log, "TLS SECRET LOGGING ENABLED! This will write all connection secrets to file {}!",
|
||||
path.display());
|
||||
}
|
||||
tls_config.key_log = Arc::new(KeyLogFile::new());
|
||||
|
||||
let tls_acceptor: TlsAcceptor = Arc::new(tls_config).into();
|
||||
|
||||
// Bind to each address in config.listens.
|
||||
|
Loading…
Reference in New Issue
Block a user