Module tls 

TLS / mTLS configuration and verifiers for the HTTP daemon.

Wave 4 (v0.6.3) — extracted verbatim from src/main.rs. Three layers:

1. Layer 1 — server-side TLS via axum-server + rustls. load_rustls_config parses a PEM cert + PEM key (PKCS#8 / RSA / SEC1) and surfaces operator-friendly errors instead of letting rustls’ wrapped IO errors bubble up. TLS misconfiguration is the #1 new-deploy footgun.

2. Layer 2 — mTLS with SHA-256 client-cert fingerprint allowlist. load_mtls_rustls_config builds a rustls ServerConfig that:

   • presents the local cert/key (same as Layer 1),
   • demands a client certificate on every connection,
   • accepts the client cert only if its SHA-256 fingerprint appears on the operator-configured allowlist. Any other cert — including ones signed by trusted CAs — is rejected. This is the fastest path to “only authorised peers can even connect” without depending on a PKI/CA ecosystem. Fingerprint pinning is a well-understood primitive (HTTP Public Key Pinning, SSH host keys).

   The allowlist parser tolerates:

   • blank lines and # full-line comments,
   • trailing inline comments (issue #358),
   • optional : separators in the hex,
   • an optional leading sha256: marker (forward-compat). It rejects embedded whitespace inside the hex run (issue #338) so soft-wrap copy-paste artefacts surface a clear “unexpected character” error rather than a misleading length error further down.

3. Layer 2 (client side) — build_rustls_client_config builds a rustls::ClientConfig with client-cert auth and a “dangerously-accept- any-server-cert” verifier. Used by the sync-daemon to present its client cert on every outbound request while connecting to peers with self-signed server certs. Peer authenticity is established on the other direction (they verify us via --mtls-allowlist).

Every public symbol below is move-extracted byte-for-byte from main.rs at the W3 commit, with pub added for cross-module visibility. Behaviour must remain bit-for-bit identical at the call sites.

Structs

DangerousAnyServerVerifier

ServerCertVerifier that accepts any peer certificate. Safe ONLY when paired with a strong reverse authentication channel — in our case the peer’s --mtls-allowlist fingerprint-pins our client cert.

FingerprintAllowlistVerifier

Custom ClientCertVerifier that accepts only client certs whose SHA-256 DER fingerprint is on the allowlist. Ignores CA chain — fingerprint pinning is the trust anchor here, same model as SSH known_hosts.

Constants

SUPPORTED_PROTOCOL_VERSIONS

v0.7.0 H3 — pin the rustls protocol-version floor to TLS 1.2 with TLS 1.3 preferred. Listed in descending preference order; rustls negotiates the highest protocol both peers support. TLS 1.0 / 1.1 are deliberately omitted: they have known weaknesses (BEAST, POODLE, no AEAD) and are disabled in every modern client (Chrome ≥ 84, Firefox ≥ 78, Safari ≥ 13).

Functions

build_rustls_client_config

Build a rustls ClientConfig with client-cert auth and a “dangerously-accept-any-server-cert” verifier. Used by the sync-daemon to present its client cert on every outbound request while connecting to peers with self-signed server certs. Peer authenticity is established on the other direction (they verify us via --mtls-allowlist).

hex_short

load_fingerprint_allowlist

Parse the allowlist file: one SHA-256 fingerprint per line, case-insensitive hex with optional : separators. Empty lines and # comments are skipped.

load_mtls_rustls_config

Load a rustls server config with client-cert-fingerprint verification.

load_rustls_config

Load a PEM cert + PEM key (PKCS#8 or RSA) into an axum-server rustls config. Returns an error with a specific message for the operator rather than letting rustls’ wrapped IO error bubble up — TLS misconfigurations are the #1 new-deploy footgun.

rustls_pki_pem_iter_certs

rustls_pki_pem_parse_private_key

serve_rustls_acceptor

v0.7.0 #1581 — production acceptor for the TLS / mTLS serve path: the rustls acceptor wrapped around axum_server::accept::NoDelayAcceptor so TCP_NODELAY is set on every accepted socket BEFORE the handshake.