feat(transport): Expose more granular control of TLS configuration #48
Conversation
jen20
changed the title
jen20
force-pushed
the
jen20/expose-tls-configuration
branch
3 times, most recently
from
43f60fa
to
f624e8d
Compare
|
After playing with this some more, and the suggestions in #47 I've reworked this to use a new builder for TLS options. This allows us to expose several different levels of abstraction for configuring TLS while not creating sprawl in the |
jen20
force-pushed
the
jen20/expose-tls-configuration
branch
4 times, most recently
from
cb010c9
to
87d6549
Compare
tonic/src/transport/endpoint.rs
Outdated
| } | ||
|
|
||
| /// Sets the CA Certificate against which to verify the server's TLS certificate. | ||
| pub fn ca_certificate(mut self, ca_certificate: Certificate) -> Self { |
There was a problem hiding this comment.
What do you think about this taking &mut self and returning &mut Self like the other builders?
There was a problem hiding this comment.
I've had a look at this, but we have the issue that we want to take the SslConnector and ClientConfig values from the builder? Happy to look at alternatives though.
There was a problem hiding this comment.
I believe the configs should be cheaply clonable right? So that means we can take a &self and get a full version.
jen20
force-pushed
the
jen20/expose-tls-configuration
branch
3 times, most recently
from
6e520f5
to
7f0dfca
Compare
|
Thanks for the feedback @LucioFranco - most of the issues you raised are now addressed, with a couple of additional questions inline. |
This commit reworks TLS configuration of both servers and endpoints in order to provide a more flexible API. We now add options to configure the selected TLS library using the appropriate 'native' configuration structures, as well as retaining the existing simplier interface which is compatible with both. The new API can also be easily extended to support simple interfaces for configuring mTLS and a range of other options without creating sprawl in the builders for `Server` and `Endpoint`.
jen20
force-pushed
the
jen20/expose-tls-configuration
branch
from
7f0dfca
to
95bc8ee
Compare
LucioFranco
changed the title
|
Thanks! Next up I’m going to look at mutual TLS, I’ll likely have a write up of the options some time tomorrow morning (EU time). |
…yperium#48) This commit reworks TLS configuration of both servers and endpoints in order to provide a more flexible API. We now add options to configure the selected TLS library using the appropriate 'native' configuration structures, as well as retaining the existing simplier interface which is compatible with both. The new API can also be easily extended to support simple interfaces for configuring mTLS and a range of other options without creating sprawl in the builders for `Server` and `Endpoint`.
This is the start of an implementation of the solution for exposing more granular control over TLS as described in #47.
It is currently incomplete, but does not lose any functionality over the previous API and should help inform whether this is the path we want to go down or not.