pub struct TlsConfig {
pub identity: TlsIdentity,
pub trusted_certs: TrustedCerts,
pub server_name: String,
}Expand description
TLS configuration for Noxu DB replication channels.
A TlsConfig bundles this node’s identity (certificate + key) with the
policy for verifying remote peers. Pass it to:
TlsTcpChannelListener::bind_with_tls— encrypted TCP serverTlsTcpChannel::connect_with_tls— encrypted TCP clientTlsConfig::to_quinn_server_config— QUIC server with real certsTlsConfig::to_quinn_client_config— QUIC client with real certs
Fields§
§identity: TlsIdentityThis node’s certificate and private key.
trusted_certs: TrustedCertsHow to verify the remote peer’s certificate.
server_name: StringTLS SNI server name used by the client during the handshake.
Must match the certificate’s Common Name or a Subject Alternative Name. Use "localhost" when connecting to a SelfSigned cert with
subject_alt_names = ["localhost"].
Implementations§
Source§impl TlsConfig
impl TlsConfig
Sourcepub fn insecure(server_name: impl Into<String>) -> Self
pub fn insecure(server_name: impl Into<String>) -> Self
Create an insecure TLS configuration for trusted private networks.
Generates a self-signed certificate at first use and skips peer certificate verification entirely. Equivalent to the current default QUIC channel behaviour.
Requires the tls-rustls feature.
Sourcepub fn from_pem_files(
cert: impl Into<PathBuf>,
key: impl Into<PathBuf>,
ca: impl Into<PathBuf>,
server_name: impl Into<String>,
) -> Self
pub fn from_pem_files( cert: impl Into<PathBuf>, key: impl Into<PathBuf>, ca: impl Into<PathBuf>, server_name: impl Into<String>, ) -> Self
Create a TLS configuration using PEM cert/key files and a CA file.
Verifies the remote peer’s certificate against ca.
Requires the tls-rustls feature.
Sourcepub fn from_pkcs12(
der: Vec<u8>,
password: impl Into<String>,
ca_pem: Vec<u8>,
server_name: impl Into<String>,
) -> Self
pub fn from_pkcs12( der: Vec<u8>, password: impl Into<String>, ca_pem: Vec<u8>, server_name: impl Into<String>, ) -> Self
Create a TLS configuration from a PKCS #12 archive.
Verifies the remote peer against ca_pem bytes.
Requires the tls-native feature.
Sourcepub fn for_replication(
identity: TlsIdentity,
trusted_certs: TrustedCerts,
server_name: impl Into<String>,
) -> Result<Self>
pub fn for_replication( identity: TlsIdentity, trusted_certs: TrustedCerts, server_name: impl Into<String>, ) -> Result<Self>
Create a TLS configuration intended for replication:
requires both a non-self-signed identity and a non-empty
CA list. Returns Err for any input that would
produce a configuration where the peer cannot be
authenticated.
This is the documented path for production replication
per docs/src/internal/auth-mtls-design-2026-05.md. It
is stricter than the from_pem_files and from_pkcs12
constructors:
- Rejects
TlsIdentity::SelfSigned(a runtime-generated cert has no consistent subject across restarts — incompatible with subject-based authorisation). - Rejects
TrustedCerts::SkipVerification(skip-verify is a development-only path). - Rejects empty
CaFiles/CaByteslists.
[TlsConfig::insecure] remains available for tests and
trusted-network deployments where the operator
explicitly accepts an unauthenticated transport.
Trait Implementations§
Auto Trait Implementations§
impl Freeze for TlsConfig
impl RefUnwindSafe for TlsConfig
impl Send for TlsConfig
impl Sync for TlsConfig
impl Unpin for TlsConfig
impl UnsafeUnpin for TlsConfig
impl UnwindSafe for TlsConfig
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read more