Module openssl::ssl [−] [src]

SSL/TLS support.

SslConnector and SslAcceptor should be used in most cases - they handle configuration of the OpenSSL primitives for you.

Examples

To connect as a client to a remote server:

use openssl::ssl::{SslMethod, SslConnectorBuilder};
use std::io::{Read, Write};
use std::net::TcpStream;

let connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap().build();

let stream = TcpStream::connect("google.com:443").unwrap();
let mut stream = connector.connect("google.com", stream).unwrap();

stream.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap();
let mut res = vec![];
stream.read_to_end(&mut res).unwrap();
println!("{}", String::from_utf8_lossy(&res));

To accept connections as a server from remote clients:

use openssl::pkcs12::Pkcs12;
use openssl::ssl::{SslMethod, SslAcceptorBuilder, SslStream};
use std::fs::File;
use std::io::{Read, Write};
use std::net::{TcpListener, TcpStream};
use std::sync::Arc;
use std::thread;

// In this example we retrieve our keypair and certificate chain from a PKCS #12 archive,
// but but they can also be retrieved from, for example, individual PEM- or DER-formatted
// files. See the documentation for the `PKey` and `X509` types for more details.
let mut file = File::open("identity.pfx").unwrap();
let mut pkcs12 = vec![];
file.read_to_end(&mut pkcs12).unwrap();
let pkcs12 = Pkcs12::from_der(&pkcs12).unwrap();
let identity = pkcs12.parse("password123").unwrap();

let acceptor = SslAcceptorBuilder::mozilla_intermediate(SslMethod::tls(),
                                                        &identity.pkey,
                                                        &identity.cert,
                                                        &identity.chain)
    .unwrap()
    .build();
let acceptor = Arc::new(acceptor);

let listener = TcpListener::bind("0.0.0.0:8443").unwrap();

fn handle_client(stream: SslStream<TcpStream>) {
    // ...
}

for stream in listener.incoming() {
    match stream {
        Ok(stream) => {
            let acceptor = acceptor.clone();
            thread::spawn(move || {
                let stream = acceptor.accept(stream).unwrap();
                handle_client(stream);
            });
        }
        Err(e) => { /* connection failed */ }
    }
}

Structs

CipherBits	Information about the state of a cipher.
ConnectConfiguration	A type which allows for configuration of a client-side TLS session before connection.
MidHandshakeSslStream	An SSL stream midway through the handshake process.
RetryError	An error indicating that the operation can be immediately retried.
Ssl	The state of an SSL/TLS session.
SslAcceptor	A type which wraps server-side streams in a TLS session.
SslAcceptorBuilder	A builder for `SslAcceptor`s.
SslCipher	Information about a cipher.
SslCipherRef	Reference to an `SslCipher`.
SslConnector	A type which wraps client-side streams in a TLS session.
SslConnectorBuilder	A builder for `SslConnector`s.
SslContext	A context object for TLS streams.
SslContextBuilder	A builder for `SslContext`s.
SslContextRef	Reference to `SslContext`
SslMethod	A type specifying the kind of protocol an `SslContext` will speak.
SslMode	Options controlling the behavior of an `SslContext`.
SslOption	Options controlling the behavior of an `SslContext`.
SslRef	Reference to an `Ssl`.
SslSession	An encoded SSL session.
SslSessionRef	Reference to [`SslSession]`.
SslStream	A TLS session over a stream.
SslVerifyMode	Options controling the behavior of certificate verification.
StatusType	An identifier of a certificate status type.

Enums

Error	An SSL error.
HandshakeError	An error or intermediate state after a TLS handshake attempt.
ShutdownResult	The result of a shutdown request.
SniError	An error returned from an SNI callback.

Constants

SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER	Disables a check that the data buffer has not moved between calls when operating in a nonblocking context.
SSL_MODE_AUTO_RETRY	Enables automatic retries after TLS session events such as renegotiations or heartbeats.
SSL_MODE_ENABLE_PARTIAL_WRITE	Enables "short writes".
SSL_MODE_NO_AUTO_CHAIN	Disables automatic chain building when verifying a peer's certificate.
SSL_MODE_RELEASE_BUFFERS	Release memory buffers when the session does not need them.
SSL_MODE_SEND_CLIENTHELLO_TIME
SSL_MODE_SEND_FALLBACK_SCSV	Sends the fake `TLS_FALLBACK_SCSV` cipher suite in the ClientHello message of a handshake.
SSL_MODE_SEND_SERVERHELLO_TIME
SSL_OP_ALL	A "reasonable default" set of options which enables compatibility flags.
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION	Allow legacy insecure renegotiation with servers or clients that do not support secure renegotiation.
SSL_OP_CIPHER_SERVER_PREFERENCE	Use the server's preferences rather than the client's when selecting a cipher.
SSL_OP_CISCO_ANYCONNECT
SSL_OP_COOKIE_EXCHANGE	Enables Cookie Exchange as described in RFC 4347 Section 4.2.1.
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS	Disables a countermeasure against an SSLv3/TLSv1.0 vulnerability affecting CBC ciphers.
SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
SSL_OP_MICROSOFT_SESS_ID_BUG
SSL_OP_NETSCAPE_CHALLENGE_BUG
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
SSL_OP_NO_COMPRESSION	Disables the use of TLS compression.
SSL_OP_NO_DTLSV1	Disables the use of DTLSv1.0
SSL_OP_NO_DTLSV1_2	Disables the use of DTLSv1.2. Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0.
SSL_OP_NO_QUERY_MTU	Do not query the MTU.
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION	Always start a new session when performing a renegotiation on the server side.
SSL_OP_NO_SSLV2	Disables the use of SSLv2.
SSL_OP_NO_SSLV3	Disables the use of SSLv3.
SSL_OP_NO_SSL_MASK	Disables the use of all (D)TLS protocol versions.
SSL_OP_NO_TICKET	Disables the use of session tickets for session resumption.
SSL_OP_NO_TLSV1	Disables the use of TLSv1.0.
SSL_OP_NO_TLSV1_1	Disables the use of TLSv1.1.
SSL_OP_NO_TLSV1_2	Disables the use of TLSv1.2.
SSL_OP_SINGLE_DH_USE	Creates a new key for each session when using DHE.
SSL_OP_SINGLE_ECDH_USE	Creates a new key for each session when using ECDHE.
SSL_OP_SSLEAY_080_CLIENT_DH_BUG
SSL_OP_TLS_BLOCK_PADDING_BUG
SSL_OP_TLS_D5_BUG
SSL_OP_TLS_ROLLBACK_BUG	Disables version rollback attach detection.
SSL_VERIFY_FAIL_IF_NO_PEER_CERT	On the server side, abort the handshake if the client did not send a certificate.
SSL_VERIFY_NONE	Disables verification of the peer's certificate.
SSL_VERIFY_PEER	Verifies that the peer's certificate is trusted.
STATUS_TYPE_OCSP	An OSCP status.