Skip to main content

rustls_crl_refresh/
lib.rs

1//! Process-wide CRL cache plus refreshable rustls verifiers.
2//!
3//! See the [crate-level README](https://docs.rs/rustls-crl-refresh)
4//! for the design rationale. The short version: rustls's
5//! `WebPkiClientVerifier` / `WebPkiServerVerifier` bake the CRL list
6//! into the verifier at construction time, so refreshing CRL bytes
7//! requires rebuilding the surrounding `ServerConfig` /
8//! `ClientConfig`. Long-running servers that keep `Arc`-identity-keyed
9//! connection pools (hyper-util's `legacy::Client`, `quinn::Endpoint`, …)
10//! pay a real cost when those configs churn. This crate keeps the
11//! configs stable: a [`CrlCache`] holds the latest bytes per source,
12//! and [`RefreshableClientCertVerifier`] /
13//! [`RefreshableServerCertVerifier`] reconstruct the inner
14//! `WebPkiVerifier` per handshake against the fresh snapshot.
15
16mod cache;
17mod verifier;
18
19pub use cache::{
20	CrlCache, CrlFetchFailure, CrlFetcher, CrlSourceId, dedupe_crl_sources, read_crl_file,
21};
22pub use verifier::{RefreshableClientCertVerifier, RefreshableServerCertVerifier};