Module openssl::ssl
[−]
[src]
SSL/TLS support.
SslConnector
and SslAcceptor
should be used in most cases - they handle
configuration of the OpenSSL primitives for you.
Examples
To connect as a client to a remote server:
use openssl::ssl::{SslMethod, SslConnectorBuilder}; use std::io::{Read, Write}; use std::net::TcpStream; let connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap().build(); let stream = TcpStream::connect("google.com:443").unwrap(); let mut stream = connector.connect("google.com", stream).unwrap(); stream.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap(); let mut res = vec![]; stream.read_to_end(&mut res).unwrap(); println!("{}", String::from_utf8_lossy(&res));
To accept connections as a server from remote clients:
use openssl::pkcs12::Pkcs12; use openssl::ssl::{SslMethod, SslAcceptorBuilder, SslStream}; use std::fs::File; use std::io::{Read, Write}; use std::net::{TcpListener, TcpStream}; use std::sync::Arc; use std::thread; // In this example we retrieve our keypair and certificate chain from a PKCS #12 archive, // but but they can also be retrieved from, for example, individual PEM- or DER-formatted // files. See the documentation for the `PKey` and `X509` types for more details. let mut file = File::open("identity.pfx").unwrap(); let mut pkcs12 = vec![]; file.read_to_end(&mut pkcs12).unwrap(); let pkcs12 = Pkcs12::from_der(&pkcs12).unwrap(); let identity = pkcs12.parse("password123").unwrap(); let acceptor = SslAcceptorBuilder::mozilla_intermediate(SslMethod::tls(), &identity.pkey, &identity.cert, &identity.chain) .unwrap() .build(); let acceptor = Arc::new(acceptor); let listener = TcpListener::bind("0.0.0.0:8443").unwrap(); fn handle_client(stream: SslStream<TcpStream>) { // ... } for stream in listener.incoming() { match stream { Ok(stream) => { let acceptor = acceptor.clone(); thread::spawn(move || { let stream = acceptor.accept(stream).unwrap(); handle_client(stream); }); } Err(e) => { /* connection failed */ } } }
Structs
CipherBits |
Information about the state of a cipher. |
ConnectConfiguration |
A type which allows for configuration of a client-side TLS session before connection. |
MidHandshakeSslStream |
An SSL stream midway through the handshake process. |
RetryError |
An error indicating that the operation can be immediately retried. |
Ssl |
The state of an SSL/TLS session. |
SslAcceptor |
A type which wraps server-side streams in a TLS session. |
SslAcceptorBuilder |
A builder for |
SslCipher |
Information about a cipher. |
SslCipherRef |
Reference to an |
SslConnector |
A type which wraps client-side streams in a TLS session. |
SslConnectorBuilder |
A builder for |
SslContext |
A context object for TLS streams. |
SslContextBuilder |
A builder for |
SslContextRef |
Reference to |
SslMethod |
A type specifying the kind of protocol an |
SslMode |
Options controlling the behavior of an |
SslOption |
Options controlling the behavior of an |
SslRef |
Reference to an |
SslSession |
An encoded SSL session. |
SslSessionRef |
Reference to [ |
SslStream |
A TLS session over a stream. |
SslVerifyMode |
Options controling the behavior of certificate verification. |
StatusType |
An identifier of a certificate status type. |
Enums
Error |
An SSL error. |
HandshakeError |
An error or intermediate state after a TLS handshake attempt. |
ShutdownResult |
The result of a shutdown request. |
SniError |
An error returned from an SNI callback. |
Constants
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
Disables a check that the data buffer has not moved between calls when operating in a nonblocking context. |
SSL_MODE_AUTO_RETRY |
Enables automatic retries after TLS session events such as renegotiations or heartbeats. |
SSL_MODE_ENABLE_PARTIAL_WRITE |
Enables "short writes". |
SSL_MODE_NO_AUTO_CHAIN |
Disables automatic chain building when verifying a peer's certificate. |
SSL_MODE_RELEASE_BUFFERS |
Release memory buffers when the session does not need them. |
SSL_MODE_SEND_CLIENTHELLO_TIME | |
SSL_MODE_SEND_FALLBACK_SCSV |
Sends the fake |
SSL_MODE_SEND_SERVERHELLO_TIME | |
SSL_OP_ALL |
A "reasonable default" set of options which enables compatibility flags. |
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION |
Allow legacy insecure renegotiation with servers or clients that do not support secure renegotiation. |
SSL_OP_CIPHER_SERVER_PREFERENCE |
Use the server's preferences rather than the client's when selecting a cipher. |
SSL_OP_CISCO_ANYCONNECT | |
SSL_OP_COOKIE_EXCHANGE |
Enables Cookie Exchange as described in RFC 4347 Section 4.2.1. |
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
Disables a countermeasure against an SSLv3/TLSv1.0 vulnerability affecting CBC ciphers. |
SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | |
SSL_OP_MICROSOFT_SESS_ID_BUG | |
SSL_OP_NETSCAPE_CHALLENGE_BUG | |
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG | |
SSL_OP_NO_COMPRESSION |
Disables the use of TLS compression. |
SSL_OP_NO_DTLSV1 |
Disables the use of DTLSv1.0 |
SSL_OP_NO_DTLSV1_2 |
Disables the use of DTLSv1.2.
Requires the |
SSL_OP_NO_QUERY_MTU |
Do not query the MTU. |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
Always start a new session when performing a renegotiation on the server side. |
SSL_OP_NO_SSLV2 |
Disables the use of SSLv2. |
SSL_OP_NO_SSLV3 |
Disables the use of SSLv3. |
SSL_OP_NO_SSL_MASK |
Disables the use of all (D)TLS protocol versions. |
SSL_OP_NO_TICKET |
Disables the use of session tickets for session resumption. |
SSL_OP_NO_TLSV1 |
Disables the use of TLSv1.0. |
SSL_OP_NO_TLSV1_1 |
Disables the use of TLSv1.1. |
SSL_OP_NO_TLSV1_2 |
Disables the use of TLSv1.2. |
SSL_OP_SINGLE_DH_USE |
Creates a new key for each session when using DHE. |
SSL_OP_SINGLE_ECDH_USE |
Creates a new key for each session when using ECDHE. |
SSL_OP_SSLEAY_080_CLIENT_DH_BUG | |
SSL_OP_TLS_BLOCK_PADDING_BUG | |
SSL_OP_TLS_D5_BUG | |
SSL_OP_TLS_ROLLBACK_BUG |
Disables version rollback attach detection. |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
On the server side, abort the handshake if the client did not send a certificate. |
SSL_VERIFY_NONE |
Disables verification of the peer's certificate. |
SSL_VERIFY_PEER |
Verifies that the peer's certificate is trusted. |
STATUS_TYPE_OCSP |
An OSCP status. |