Skip to main content

MtlsConfig

rmcp_server_kit::auth

Struct MtlsConfig 

Source 
#[non_exhaustive]
pub struct MtlsConfig {
Show 17 fields
    pub ca_cert_path: PathBuf,
    pub required: bool,
    pub default_role: String,
    pub crl_enabled: bool,
    pub crl_refresh_interval: Option<Duration>,
    pub crl_fetch_timeout: Duration,
    pub crl_stale_grace: Duration,
    pub crl_deny_on_unavailable: bool,
    pub crl_end_entity_only: bool,
    pub crl_allow_http: bool,
    pub crl_enforce_expiration: bool,
    pub crl_max_concurrent_fetches: usize,
    pub crl_max_response_bytes: u64,
    pub crl_discovery_rate_per_min: u32,
    pub crl_max_host_semaphores: usize,
    pub crl_max_seen_urls: usize,
    pub crl_max_cache_entries: usize,

}
Expand description

mTLS client certificate authentication configuration.

Fields (Non-exhaustive)§

This struct is marked as non-exhaustive
Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.
§ca_cert_path: PathBuf

Path to CA certificate(s) for verifying client certs (PEM format).

§required: bool

If true, clients MUST present a valid certificate. If false, client certs are optional (verified if presented).

§default_role: String

Default RBAC role for mTLS-authenticated clients. The client cert CN becomes the identity name.

§crl_enabled: bool

Enable CRL-based certificate revocation checks using CDP URLs from the configured CA chain and connecting client certificates.

§crl_refresh_interval: Option<Duration>

Optional fixed refresh interval for known CRLs. When omitted, refresh cadence is derived from nextUpdate and clamped internally.

§crl_fetch_timeout: Duration

Timeout for individual CRL fetches.

§crl_stale_grace: Duration

Grace window during which stale CRLs may still be used when refresh attempts fail.

§crl_deny_on_unavailable: bool

When true, missing or unavailable CRLs cause revocation checks to fail closed.

§crl_end_entity_only: bool

When true, apply revocation checks only to the end-entity certificate.

§crl_allow_http: bool

Allow HTTP CRL distribution-point URLs in addition to HTTPS.

Defaults to true because RFC 5280 §4.2.1.13 designates HTTP (and LDAP) as the canonical transport for CRL distribution points. SSRF defense for HTTP CDPs is provided by the IP-allowlist guard (private/loopback/link-local/multicast/cloud-metadata addresses are always rejected), redirect=none, body-size cap, and per-host concurrency limit – not by forcing HTTPS.

§crl_enforce_expiration: bool

Enforce CRL expiration during certificate validation.

§crl_max_concurrent_fetches: usize

Maximum concurrent CRL fetches across all hosts. Defense in depth against SSRF amplification: even if many CDPs are discovered, no more than this many fetches run in parallel. Per-host concurrency is independently capped at 1 regardless of this value. Default: 4.

§crl_max_response_bytes: u64

Hard cap on each CRL response body in bytes. Fetches exceeding this are aborted mid-stream to bound memory and prevent gzip-bomb-style amplification. Default: 5 MiB (5 * 1024 * 1024).

§crl_discovery_rate_per_min: u32

Global CDP discovery rate limit, in URLs per minute. Throttles how many new CDP URLs the verifier may admit into the fetch pipeline across the whole process, bounding asymmetric DoS amplification when attacker-controlled certificates carry large CDP lists. The limit is global (not per-source-IP) in this release; per-IP scoping is deferred to a future version because it requires plumbing the peer SocketAddr through the verifier hook. URLs that lose the rate-limiter race are not marked as seen, so subsequent handshakes observing the same URL can retry admission. Default: 60.

§crl_max_host_semaphores: usize

Maximum number of distinct hosts that may hold a CRL fetch semaphore at any time. Requests that would grow the map beyond this cap return McpxError::Config containing the literal substring "crl_host_semaphore_cap_exceeded". Bounds memory growth from attacker-controlled CDP URLs pointing at unique hostnames. Default: 1024.

§crl_max_seen_urls: usize

Maximum number of distinct URLs tracked in the “seen” set. Beyond this, additional discovered URLs are silently dropped with a rate-limited warn! log; no error surfaces. Default: 4096.

§crl_max_cache_entries: usize

Maximum number of cached CRL entries. Beyond this, new successful fetches are silently dropped with a rate-limited warn! log (newest-rejected, not LRU-evicted). Default: 1024.

Trait Implementations§

Source§

impl Clone for MtlsConfig

Source§

fn clone(&self) -> MtlsConfig

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for MtlsConfig

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl<'de> Deserialize<'de> for MtlsConfig

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<'a, T, E> AsTaggedExplicit<'a, E> for T
where T: 'a,

Source§

fn explicit(self, class: Class, tag: u32) -> TaggedParser<'a, Explicit, Self, E>

Source§

impl<'a, T, E> AsTaggedImplicit<'a, E> for T
where T: 'a,

Source§

fn implicit( self, class: Class, constructed: bool, tag: u32, ) -> TaggedParser<'a, Implicit, Self, E>

Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> DynClone for T
where T: Clone,

Source§

fn __clone_box(&self, _: Private) -> *mut ()

Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> FromRef<T> for T
where T: Clone,

Source§

fn from_ref(input: &T) -> T

Converts to this type from a reference to the input type.
Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,

Source§

impl<A, B, T> HttpServerConnExec<A, B> for T
where B: Body,