Comments (13)
Doesn't http/2 over TLS require ALPN?
I think it does require ALPN, however, it works without ALPN at least for gRPC.
But why doesn't rust-native-tls support ALPN?
native-tls is not the "one true TLS library".
Well, it would be good to have "one true TLS library". And I don't have time to invest in implementing abstraction over different TLS implementations. (Especially because I don't understand TLS stuff very vell).
It would be nice if rust-native-tls supported the most important stuff, and I wouldn't use anything it doesn't support. (Actually, I don't know what else besides ALPN I need from TLS library).
from rust-native-tls.
It seems pretty strange that it would take hundreds of conditionals do disable a TLS backend. Maybe some refactoring is in order? There is 1 #[cfg]
for each TLS backend in rust-postgres for example.
from rust-native-tls.
Well, not hundreds, but tens if you have client and server and dozen of convenient constructors. And you still need to build your code twice: with and without tls just to check you haven't missed something.
Actually, I have two libraries: http/2 and grpc (which depends on http/2), so I need to have these cfg flags in two libraries.
No-op rusttls would be convenient.
from rust-native-tls.
What happens if someone wants to use something other than native-tls?
from rust-native-tls.
Why would someone want to use something other than native tls?
from rust-native-tls.
native-tls is not the "one true TLS library". It's targets the "I don't want to do anything particularly exotic and just want this to work with minimal effort". There an enormous swath of functionality you can get using OpenSSL directly instead of native-tls for example.
from rust-native-tls.
How can http2 be using this library in the first place? Doesn't http/2 over TLS require ALPN?
from rust-native-tls.
Seems like Security.framework
doesn't support ALPN. So even if rust-native-tls
supported ALPN, I couldn't use it on OSX for proper implementation of HTTP/2.
So I've got another suggestion (which will also make this feature request needless).
Would you like/could you have a crate like rust-tls-api
with traits
trait TslConnector {
fn connect(...) { ... }
}
trait TlsAcceptor {
fn accept(...) { ... }
}
trait TlsConnectorBuilder { ... }
trait TlsAcceptorBuilder { ... }
and no implementations?
So rust-openssl
, rust-schannel
and rust-security-framework
could depend on that crate and implement these traits?
rust-native-tls could also implement these traits.
So in my implementation of http2/grpc I could simply depend on rust-tls-api
, have no #[cfg]
directives at all, and concrete implementation of TLS (or none at all) could be chosen by library user.
from rust-native-tls.
Yeah, that'd be a good thing to do.
from rust-native-tls.
Great! What's next? Will you do it all by yourself? Can I help?
from rust-native-tls.
I'll start messing around with stuff over the weekend.
from rust-native-tls.
I've created a sketch of implementation: rust-tls-api.
Doesn't work yet, it's empty interfaces and implementation for rust-native-tls in separate crate.
The largest problem I've encountered which I overlooked before is a lack of HKT in Rust. It's not possible to declare:
struct TlsConnector {
type <S> TlsStream<S>;
}
So I decided to do it with boxing: tls_api::TlsStream
is a struct:
struct TlsStream(Box<TlsStreamImpl>);
Which is probably not a big deal.
from rust-native-tls.
Well, it actually works at least for simple cases:
from rust-native-tls.
Related Issues (20)
- RUSTSEC vulnerability in `tempfile` - need to take updated version HOT 1
- tls
- rust-native-tls is not able to receive peer certificate HOT 10
- Upgrade security-framework v2.9.1 HOT 1
- TlsConnectorBuilder constructor HOT 2
- PKCS12 Legacy Support HOT 1
- Identity::from_pkcs8 does not work correctly on macos HOT 2
- PKCS12 Identity [mac verify failure] on legacy format HOT 3
- Windows: When loading an Identity with from_pkcs8(), running multiple servers generates handshake errors HOT 7
- Is `&TlsStream: Read + Write` possible? HOT 2
- Option to disable certificate CA verification HOT 7
- Newer pkcs12 file format reverses cert chain order HOT 4
- Ability to customise SslContext for openssl HOT 1
- feature request: please provide a way to "opt-outing" openssl HOT 2
- reading the response is taking too long - 10 minutes HOT 4
- Allow access to ssl::SslStream for advanced usage HOT 1
- Use schannel CertContext to create an Identity HOT 2
- TlsConnector throws an error: Failure(Error { code: -9836, message: "bad protocol version" }) HOT 1
- Fails to compile on MacOS HOT 2
- [feature request] Expose SslConnector
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rust-native-tls.