microsandbox_network/tls/config.rs
1//! TLS interception configuration types.
2//!
3//! These types configure inline TLS MITM for the smoltcp networking stack.
4//! All TCP connections terminate at smoltcp, so TLS interception is handled
5//! directly by proxy tasks — no kernel redirect rules needed.
6
7use std::path::PathBuf;
8
9use serde::{Deserialize, Serialize};
10
11//--------------------------------------------------------------------------------------------------
12// Types
13//--------------------------------------------------------------------------------------------------
14
15/// TLS interception configuration.
16#[derive(Debug, Clone, Serialize, Deserialize)]
17pub struct TlsConfig {
18 /// Whether TLS interception is enabled.
19 #[serde(default)]
20 pub enabled: bool,
21
22 /// TCP ports subject to TLS interception (default: `[443]`).
23 #[serde(default = "default_intercepted_ports")]
24 pub intercepted_ports: Vec<u16>,
25
26 /// Domains to bypass (no MITM). Supports exact match and `*.suffix` wildcards.
27 #[serde(default)]
28 pub bypass: Vec<String>,
29
30 /// Whether to verify the upstream server's TLS certificate.
31 #[serde(default = "default_true")]
32 pub verify_upstream: bool,
33
34 /// Drop UDP to intercepted ports when TLS interception is active,
35 /// forcing QUIC traffic to fall back to TCP/TLS.
36 #[serde(default = "default_true")]
37 pub block_quic_on_intercept: bool,
38
39 /// CA certificate PEM files to trust for upstream server verification.
40 #[serde(default)]
41 pub upstream_ca_cert: Vec<PathBuf>,
42
43 /// Interception CA configuration. The TLS proxy uses this CA to sign
44 /// per-domain certs that it presents to the guest during interception.
45 #[serde(default, alias = "ca")]
46 pub intercept_ca: InterceptCaConfig,
47
48 /// Per-domain certificate cache configuration.
49 #[serde(default)]
50 pub cache: CertCacheConfig,
51}
52
53/// Certificate authority configuration for TLS interception.
54#[derive(Debug, Clone, Default, Serialize, Deserialize)]
55pub struct InterceptCaConfig {
56 /// Path to an existing CA certificate PEM file.
57 /// If `None`, a CA is auto-generated and persisted.
58 #[serde(default)]
59 pub cert_path: Option<PathBuf>,
60
61 /// Path to an existing CA private key PEM file.
62 /// If `None`, a key is auto-generated and persisted.
63 #[serde(default)]
64 pub key_path: Option<PathBuf>,
65}
66
67/// Per-domain certificate cache configuration.
68#[derive(Debug, Clone, Serialize, Deserialize)]
69pub struct CertCacheConfig {
70 /// Maximum number of cached certificates. Default: 1000.
71 #[serde(default = "default_cache_capacity")]
72 pub capacity: usize,
73
74 /// Certificate validity duration in hours. Default: 24.
75 #[serde(default = "default_cert_validity_hours")]
76 pub validity_hours: u64,
77}
78
79//--------------------------------------------------------------------------------------------------
80// Trait Implementations
81//--------------------------------------------------------------------------------------------------
82
83impl Default for TlsConfig {
84 fn default() -> Self {
85 Self {
86 enabled: false,
87 intercepted_ports: default_intercepted_ports(),
88 bypass: Vec::new(),
89 verify_upstream: true,
90 block_quic_on_intercept: true,
91 upstream_ca_cert: Vec::new(),
92 intercept_ca: InterceptCaConfig::default(),
93 cache: CertCacheConfig::default(),
94 }
95 }
96}
97
98impl Default for CertCacheConfig {
99 fn default() -> Self {
100 Self {
101 capacity: default_cache_capacity(),
102 validity_hours: default_cert_validity_hours(),
103 }
104 }
105}
106
107//--------------------------------------------------------------------------------------------------
108// Functions
109//--------------------------------------------------------------------------------------------------
110
111fn default_true() -> bool {
112 true
113}
114
115fn default_intercepted_ports() -> Vec<u16> {
116 vec![443]
117}
118
119fn default_cache_capacity() -> usize {
120 1000
121}
122
123fn default_cert_validity_hours() -> u64 {
124 24
125}