Skip to main content

ConfigBuilder

pingora_s2n

Struct ConfigBuilder 

Source 
pub struct ConfigBuilder { /* private fields */ }

Implementations§

Source§

impl Builder

Source

pub fn new() -> Builder

§Warning

The newly created Builder will create Configs that use the default security policy. Consider changing this depending on your security and compatibility requirements by calling Builder::set_security_policy. See the s2n-tls usage guide: https://aws.github.io/s2n-tls/usage-guide/ch06-security-policies.html

Corresponds to s2n_config_new_minimal, but also calls s2n_config_set_client_hello_cb_mode to set the client hello callback to non-blocking mode.

Source

pub fn set_alert_behavior( &mut self, value: AlertBehavior, ) -> Result<&mut Builder, Error>

Corresponds to s2n_config_set_alert_behavior.

Source

pub fn set_security_policy( &mut self, policy: &Policy, ) -> Result<&mut Builder, Error>

Corresponds to s2n_config_set_cipher_preferences.

Source

pub fn set_application_protocol_preference<P, I>( &mut self, protocols: P, ) -> Result<&mut Builder, Error>
where P: IntoIterator<Item = I>, I: AsRef<[u8]>,

sets the application protocol preferences on an s2n_config object.

protocols is a list in order of preference, with most preferred protocol first, and of length protocol_count. When acting as a client the protocol list is included in the Client Hello message as the ALPN extension. As a server, the list is used to negotiate a mutual application protocol with the client. After the negotiation for the connection has completed, the agreed upon protocol can be retrieved with s2n_get_application_protocol

Corresponds to s2n_config_set_protocol_preferences.

Source

pub fn append_application_protocol_preference( &mut self, protocol: &[u8], ) -> Result<&mut Builder, Error>

Corresponds to s2n_config_append_protocol_preference.

Source

pub unsafe fn disable_x509_verification( &mut self, ) -> Result<&mut Builder, Error>

Turns off x509 verification

§Safety

This functionality will weaken the security of the connections. As such, it should only be used in development environments where obtaining a valid certificate would not be possible.

Corresponds to s2n_config_disable_x509_verification.

Source

pub fn add_dhparams(&mut self, pem: &[u8]) -> Result<&mut Builder, Error>

Corresponds to s2n_config_add_dhparams.

Source

pub fn load_pem( &mut self, certificate: &[u8], private_key: &[u8], ) -> Result<&mut Builder, Error>

Associate a certificate and corresponding private_key with a config. Using this method, at most one certificate per auth type (ECDSA, RSA, RSA-PSS) can be loaded.

For more advanced cert use cases such as sharing certs across configs or serving different certs based on the client SNI, see Builder::load_chain.

Corresponds to s2n_config_add_cert_chain_and_key.

Source

pub fn load_chain( &mut self, chain: CertificateChain<'static>, ) -> Result<&mut Builder, Error>

Corresponds to s2n_config_add_cert_chain_and_key_to_store.

Source

pub fn set_default_chains<T>( &mut self, chains: T, ) -> Result<&mut Builder, Error>
where T: IntoIterator<Item = CertificateChain<'static>>,

Corresponds to s2n_config_set_cert_chain_and_key_defaults.

Source

pub fn load_public_pem( &mut self, certificate: &[u8], ) -> Result<&mut Builder, Error>

Corresponds to s2n_config_add_cert_chain.

Source

pub fn trust_pem(&mut self, certificate: &[u8]) -> Result<&mut Builder, Error>

Corresponds to s2n_config_add_pem_to_trust_store.

Source

pub fn trust_location( &mut self, file: Option<&Path>, dir: Option<&Path>, ) -> Result<&mut Builder, Error>

Adds to the trust store from a CA file or directory containing trusted certificates.

Corresponds to s2n_config_set_verification_ca_location, except it calls s2n_config_set_status_request_type with NONE to avoid automatically enabling OCSP stapling.

Source

pub fn with_system_certs( &mut self, load_system_certs: bool, ) -> Result<&mut Builder, Error>

Sets whether or not default system certificates will be loaded into the trust store.

Set to false for increased performance if system certificates are not needed during certificate validation.

Corresponds to s2n_config_load_system_certs.

Source

pub fn wipe_trust_store(&mut self) -> Result<&mut Builder, Error>

Corresponds to s2n_config_wipe_trust_store.

Source

pub fn set_client_auth_type( &mut self, auth_type: ClientAuthType, ) -> Result<&mut Builder, Error>

Sets whether or not a client certificate should be required to complete the TLS connection.

See the Usage Guide for more details.

Corresponds to s2n_config_set_client_auth_type.

Source

pub fn enable_ocsp(&mut self) -> Result<&mut Builder, Error>

Clients will request OCSP stapling from the server.

Corresponds to s2n_config_set_status_request_type.

Source

pub fn set_ocsp_data(&mut self, data: &[u8]) -> Result<&mut Builder, Error>

Sets the OCSP data for the default certificate chain associated with the Config.

Servers will send the data in response to OCSP stapling requests from clients.

Corresponds to s2n_config_set_extension_data with OCSP_STAPLING.

Source

pub fn set_verify_host_callback<T>( &mut self, handler: T, ) -> Result<&mut Builder, Error>
where T: 'static + VerifyHostNameCallback,

Sets the callback to use for verifying that a hostname from an X.509 certificate is trusted.

The callback may be called more than once during certificate validation as each SAN on the certificate will be checked.

Corresponds to s2n_config_set_verify_host_callback.

Source

pub unsafe fn set_key_log_callback( &mut self, callback: Option<unsafe extern "C" fn(*mut c_void, *mut s2n_connection, *mut u8, usize) -> i32>, context: *mut c_void, ) -> Result<&mut Builder, Error>

§Safety

THIS SHOULD BE USED FOR DEBUGGING PURPOSES ONLY! The context pointer must live at least as long as the config

Corresponds to s2n_config_set_key_log_cb.

Source

pub fn set_max_cert_chain_depth( &mut self, depth: u16, ) -> Result<&mut Builder, Error>

Corresponds to s2n_config_set_max_cert_chain_depth.

Source

pub fn set_send_buffer_size(&mut self, size: u32) -> Result<&mut Builder, Error>

Corresponds to s2n_config_set_send_buffer_size.

Source

pub fn set_client_hello_callback<T>( &mut self, handler: T, ) -> Result<&mut Builder, Error>
where T: 'static + ClientHelloCallback,

Set a custom callback function which is run after parsing the client hello.

Corresponds to s2n_config_set_client_hello_cb.

Source

pub fn set_connection_initializer<T>( &mut self, handler: T, ) -> Result<&mut Builder, Error>
where T: 'static + ConnectionInitializer,

Source

pub fn set_session_ticket_callback<T>( &mut self, handler: T, ) -> Result<&mut Builder, Error>
where T: 'static + SessionTicketCallback,

Sets a custom callback which provides access to session tickets when they arrive

Corresponds to s2n_config_set_session_ticket_cb.

Source

pub fn set_private_key_callback<T>( &mut self, handler: T, ) -> Result<&mut Builder, Error>
where T: 'static + PrivateKeyCallback,

Set a callback function triggered by operations requiring the private key.

See https://github.com/aws/s2n-tls/blob/main/docs/USAGE-GUIDE.md#private-key-operation-related-calls

Corresponds to s2n_config_set_async_pkey_callback.

Source

pub fn set_wall_clock<T>(&mut self, handler: T) -> Result<&mut Builder, Error>
where T: 'static + WallClock,

Set a callback function that will be used to get the system time.

The wall clock time is the best-guess at the real time, measured since the epoch. Unlike monotonic time, it CAN move backwards. It is used by s2n-tls for timestamps.

Corresponds to s2n_config_set_wall_clock.

Source

pub fn set_monotonic_clock<T>( &mut self, handler: T, ) -> Result<&mut Builder, Error>
where T: 'static + MonotonicClock,

Set a callback function that will be used to get the monotonic time.

The monotonic time is the time since an arbitrary, unspecified point. Unlike wall clock time, it MUST never move backwards. It is used by s2n-tls for timers.

Corresponds to s2n_config_set_monotonic_clock.

Source

pub fn enable_session_tickets( &mut self, enable: bool, ) -> Result<&mut Builder, Error>

Enable negotiating session tickets in a TLS connection

Corresponds to s2n_config_set_session_tickets_onoff.

Source

pub fn add_session_ticket_key( &mut self, key_name: &[u8], key: &[u8], intro_time: SystemTime, ) -> Result<&mut Builder, Error>

Adds a key which will be used to encrypt and decrypt session tickets. The intro_time parameter is time since the Unix epoch (Midnight, January 1st, 1970). The key must be at least 16 bytes.

Corresponds to s2n_config_add_ticket_crypto_key, but also automatically calls Builder::enable_session_tickets.

Source

pub fn set_ticket_key_encrypt_decrypt_lifetime( &mut self, lifetime: Duration, ) -> Result<&mut Builder, Error>

Corresponds to s2n_config_set_ticket_encrypt_decrypt_key_lifetime.

Source

pub fn set_ticket_key_decrypt_lifetime( &mut self, lifetime: Duration, ) -> Result<&mut Builder, Error>

Corresponds to s2n_config_set_ticket_decrypt_key_lifetime.

Source

pub fn set_serialization_version( &mut self, version: SerializationVersion, ) -> Result<&mut Builder, Error>

Sets the expected connection serialization version. Must be set before serializing the connection.

Corresponds to s2n_config_set_serialization_version.

Source

pub fn set_max_blinding_delay( &mut self, seconds: u32, ) -> Result<&mut Builder, Error>

Sets a configurable blinding delay instead of the default

Corresponds to s2n_config_set_max_blinding_delay.

Source

pub fn require_ticket_forward_secrecy( &mut self, enable: bool, ) -> Result<&mut Builder, Error>

Requires that session tickets are only used when forward secrecy is possible

Corresponds to s2n_config_require_ticket_forward_secrecy.

Source

pub fn build(self) -> Result<Config, Error>

Trait Implementations§

Source§

impl Default for Builder

§Warning

The newly created Builder uses the default security policy. Consider changing this depending on your security and compatibility requirements by using Builder::new instead and calling Builder::set_security_policy. See the s2n-tls usage guide: https://aws.github.io/s2n-tls/usage-guide/ch06-security-policies.html

Source§

fn default() -> Builder

Returns the “default value” for a type. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.