Module tls 

HTTP TLS termination for the embedded HTTP server.

The HTTP server uses sync std::net::TcpStream + per-connection threads, so we wrap the stream with rustls::StreamOwned rather than the async tokio-rustls adapter used by the wire transport.

Capabilities:

• PEM cert / key load from disk.
• Optional mTLS — when a client-CA bundle is configured, every handshake must present a cert that chains to it.
• Auto-generated self-signed cert for dev (gated by RED_HTTP_TLS_DEV=1) — refuses without that env knob.
• SHA256 fingerprint logged at boot so operators can pin the cert out-of-band.
• TLS 1.2 + 1.3 only (rustls default; older protocols are not compiled in). Cipher suites = rustls defaults (FS-only, no anonymous, no exportables).

Structs

HttpTlsConfig

Configuration for HTTP TLS termination.

Functions

accept_tls

Wrap a sync TcpStream in a TLS server connection. Performs the handshake as part of stream construction. Returns a stream that transparently encrypts on write / decrypts on read.

auto_generate_dev_cert

Derive a self-signed dev certificate when --http-tls-bind is set without an explicit cert/key. Gated by RED_HTTP_TLS_DEV=1; refuses to auto-generate in any other context (refuses prod by default).

build_server_config

Build a sync rustls ServerConfig. Installs the ring crypto provider (idempotent — set_default-style; already done by the wire path, but safe to repeat).