Struct rustls::ConfigBuilder

source ·
pub struct ConfigBuilder<Side: ConfigSide, State> { /* private fields */ }
Expand description

Building a ServerConfig or ClientConfig in a linker-friendly and complete way.

Linker-friendly: meaning unused cipher suites, protocol versions, key exchange mechanisms, etc. can be discarded by the linker as they’ll be unreferenced.

Complete: the type system ensures all decisions required to run a server or client have been made by the time the process finishes.

Example, to make a ServerConfig:

ServerConfig::builder()
    .with_safe_default_cipher_suites()
    .with_safe_default_kx_groups()
    .with_safe_default_protocol_versions()
    .unwrap()
    .with_no_client_auth()
    .with_single_cert(certs, private_key)
    .expect("bad certificate/key");

This may be shortened to:

ServerConfig::builder()
    .with_safe_defaults()
    .with_no_client_auth()
    .with_single_cert(certs, private_key)
    .expect("bad certificate/key");

To make a ClientConfig:

ClientConfig::builder()
    .with_safe_default_cipher_suites()
    .with_safe_default_kx_groups()
    .with_safe_default_protocol_versions()
    .unwrap()
    .with_root_certificates(root_certs)
    .with_client_auth_cert(certs, private_key)
    .expect("bad certificate/key");

This may be shortened to:

ClientConfig::builder()
    .with_safe_defaults()
    .with_root_certificates(root_certs)
    .with_no_client_auth();

The types used here fit together like this:

  1. Call ClientConfig::builder() or ServerConfig::builder() to initialize a builder.
  2. You must make a decision on which cipher suites to use, typically by calling ConfigBuilder<S, WantsCipherSuites>::with_safe_default_cipher_suites().
  3. Now you must make a decision on key exchange groups: typically by calling ConfigBuilder<S, WantsKxGroups>::with_safe_default_kx_groups().
  4. Now you must make a decision on which protocol versions to support, typically by calling ConfigBuilder<S, WantsVersions>::with_safe_default_protocol_versions().
  5. Now see ConfigBuilder<ClientConfig, WantsVerifier> or ConfigBuilder<ServerConfig, WantsVerifier> for further steps.

Implementations§

source§

impl<S: ConfigSide> ConfigBuilder<S, WantsCipherSuites>

source

pub fn with_safe_defaults(self) -> ConfigBuilder<S, WantsVerifier>

Start side-specific config with defaults for underlying cryptography.

If used, this will enable all safe supported cipher suites (DEFAULT_CIPHER_SUITES), all safe supported key exchange groups (ALL_KX_GROUPS) and all safe supported protocol versions (DEFAULT_VERSIONS).

These are safe defaults, useful for 99% of applications.

source

pub fn with_cipher_suites( self, cipher_suites: &[SupportedCipherSuite], ) -> ConfigBuilder<S, WantsKxGroups>

Choose a specific set of cipher suites.

source

pub fn with_safe_default_cipher_suites(self) -> ConfigBuilder<S, WantsKxGroups>

Choose the default set of cipher suites (DEFAULT_CIPHER_SUITES).

Note that this default provides only high-quality suites: there is no need to filter out low-, export- or NULL-strength cipher suites: rustls does not implement these.

source§

impl<S: ConfigSide> ConfigBuilder<S, WantsKxGroups>

source

pub fn with_kx_groups( self, kx_groups: &[&'static SupportedKxGroup], ) -> ConfigBuilder<S, WantsVersions>

Choose a specific set of key exchange groups.

source

pub fn with_safe_default_kx_groups(self) -> ConfigBuilder<S, WantsVersions>

Choose the default set of key exchange groups (ALL_KX_GROUPS).

This is a safe default: rustls doesn’t implement any poor-quality groups.

source§

impl<S: ConfigSide> ConfigBuilder<S, WantsVersions>

source

pub fn with_safe_default_protocol_versions( self, ) -> Result<ConfigBuilder<S, WantsVerifier>, Error>

Accept the default protocol versions: both TLS1.2 and TLS1.3 are enabled.

source

pub fn with_protocol_versions( self, versions: &[&'static SupportedProtocolVersion], ) -> Result<ConfigBuilder<S, WantsVerifier>, Error>

Use a specific set of protocol versions.

source§

impl ConfigBuilder<ClientConfig, WantsVerifier>

source

pub fn with_root_certificates( self, root_store: impl Into<Arc<RootCertStore>>, ) -> ConfigBuilder<ClientConfig, WantsTransparencyPolicyOrClientCert>

Choose how to verify server certificates.

source

pub fn with_custom_certificate_verifier( self, verifier: Arc<dyn ServerCertVerifier>, ) -> ConfigBuilder<ClientConfig, WantsClientCert>

Set a custom certificate verifier.

source§

impl ConfigBuilder<ClientConfig, WantsTransparencyPolicyOrClientCert>

source

pub fn with_certificate_transparency_logs( self, logs: &'static [&'static Log<'_>], validation_deadline: SystemTime, ) -> ConfigBuilder<ClientConfig, WantsClientCert>

Set Certificate Transparency logs to use for server certificate validation.

Because Certificate Transparency logs are sharded on a per-year basis and can be trusted or distrusted relatively quickly, rustls stores a validation deadline. Server certificates will be validated against the configured CT logs until the deadline expires. After the deadline, certificates will no longer be validated, and a warning message will be logged. The deadline may vary depending on how often you deploy builds with updated dependencies.

source

pub fn with_client_auth_cert( self, cert_chain: Vec<Certificate>, key_der: PrivateKey, ) -> Result<ClientConfig, Error>

Sets a single certificate chain and matching private key for use in client authentication.

cert_chain is a vector of DER-encoded certificates. key_der is a DER-encoded RSA, ECDSA, or Ed25519 private key.

This function fails if key_der is invalid.

source

pub fn with_single_cert( self, cert_chain: Vec<Certificate>, key_der: PrivateKey, ) -> Result<ClientConfig, Error>

👎Deprecated since 0.21.4: Use with_client_auth_cert instead

Sets a single certificate chain and matching private key for use in client authentication.

cert_chain is a vector of DER-encoded certificates. key_der is a DER-encoded RSA, ECDSA, or Ed25519 private key.

This function fails if key_der is invalid.

source

pub fn with_no_client_auth(self) -> ClientConfig

Do not support client auth.

source

pub fn with_client_cert_resolver( self, client_auth_cert_resolver: Arc<dyn ResolvesClientCert>, ) -> ClientConfig

Sets a custom ResolvesClientCert.

source§

impl ConfigBuilder<ClientConfig, WantsClientCert>

source

pub fn with_client_auth_cert( self, cert_chain: Vec<Certificate>, key_der: PrivateKey, ) -> Result<ClientConfig, Error>

Sets a single certificate chain and matching private key for use in client authentication.

cert_chain is a vector of DER-encoded certificates. key_der is a DER-encoded RSA, ECDSA, or Ed25519 private key.

This function fails if key_der is invalid.

source

pub fn with_single_cert( self, cert_chain: Vec<Certificate>, key_der: PrivateKey, ) -> Result<ClientConfig, Error>

👎Deprecated since 0.21.4: Use with_client_auth_cert instead

Sets a single certificate chain and matching private key for use in client authentication.

cert_chain is a vector of DER-encoded certificates. key_der is a DER-encoded RSA, ECDSA, or Ed25519 private key.

This function fails if key_der is invalid.

source

pub fn with_no_client_auth(self) -> ClientConfig

Do not support client auth.

source

pub fn with_client_cert_resolver( self, client_auth_cert_resolver: Arc<dyn ResolvesClientCert>, ) -> ClientConfig

Sets a custom ResolvesClientCert.

source§

impl ConfigBuilder<ServerConfig, WantsVerifier>

source

pub fn with_client_cert_verifier( self, client_cert_verifier: Arc<dyn ClientCertVerifier>, ) -> ConfigBuilder<ServerConfig, WantsServerCert>

Choose how to verify client certificates.

source

pub fn with_no_client_auth(self) -> ConfigBuilder<ServerConfig, WantsServerCert>

Disable client authentication.

source§

impl ConfigBuilder<ServerConfig, WantsServerCert>

source

pub fn with_single_cert( self, cert_chain: Vec<Certificate>, key_der: PrivateKey, ) -> Result<ServerConfig, Error>

Sets a single certificate chain and matching private key. This certificate and key is used for all subsequent connections, irrespective of things like SNI hostname.

Note that the end-entity certificate must have the Subject Alternative Name extension to describe, e.g., the valid DNS name. The commonName field is disregarded.

cert_chain is a vector of DER-encoded certificates. key_der is a DER-encoded RSA, ECDSA, or Ed25519 private key.

This function fails if key_der is invalid.

source

pub fn with_single_cert_with_ocsp_and_sct( self, cert_chain: Vec<Certificate>, key_der: PrivateKey, ocsp: Vec<u8>, scts: Vec<u8>, ) -> Result<ServerConfig, Error>

Sets a single certificate chain, matching private key, OCSP response and SCTs. This certificate and key is used for all subsequent connections, irrespective of things like SNI hostname.

cert_chain is a vector of DER-encoded certificates. key_der is a DER-encoded RSA, ECDSA, or Ed25519 private key. ocsp is a DER-encoded OCSP response. Ignored if zero length. scts is an SignedCertificateTimestampList encoding (see RFC6962) and is ignored if empty.

This function fails if key_der is invalid.

source

pub fn with_cert_resolver( self, cert_resolver: Arc<dyn ResolvesServerCert>, ) -> ServerConfig

Sets a custom ResolvesServerCert.

Trait Implementations§

source§

impl<Side: Clone + ConfigSide, State: Clone> Clone for ConfigBuilder<Side, State>

source§

fn clone(&self) -> ConfigBuilder<Side, State>

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl<Side: ConfigSide, State: Debug> Debug for ConfigBuilder<Side, State>

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

§

impl<Side, State> Freeze for ConfigBuilder<Side, State>
where State: Freeze,

§

impl<Side, State> RefUnwindSafe for ConfigBuilder<Side, State>
where State: RefUnwindSafe, Side: RefUnwindSafe,

§

impl<Side, State> Send for ConfigBuilder<Side, State>
where State: Send, Side: Send,

§

impl<Side, State> Sync for ConfigBuilder<Side, State>
where State: Sync, Side: Sync,

§

impl<Side, State> Unpin for ConfigBuilder<Side, State>
where State: Unpin, Side: Unpin,

§

impl<Side, State> UnwindSafe for ConfigBuilder<Side, State>
where State: UnwindSafe, Side: UnwindSafe,

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> CloneToUninit for T
where T: Clone,

source§

unsafe fn clone_to_uninit(&self, dst: *mut T)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dst. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> ToOwned for T
where T: Clone,

source§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

source§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.