TlsConfig

rquest::tls

Struct TlsConfig 

Source 
pub struct TlsConfig {
Show 29 fields
    pub cert_store: Option<Cow<'static, CertStore>>,
    pub cert_verification: bool,
    pub tls_sni: bool,
    pub verify_hostname: bool,
    pub alpn_protos: AlpnProtos,
    pub alps_protos: Option<AlpsProtos>,
    pub alps_use_new_codepoint: bool,
    pub session_ticket: bool,
    pub min_tls_version: Option<TlsVersion>,
    pub max_tls_version: Option<TlsVersion>,
    pub pre_shared_key: bool,
    pub enable_ech_grease: bool,
    pub permute_extensions: Option<bool>,
    pub grease_enabled: Option<bool>,
    pub enable_ocsp_stapling: bool,
    pub enable_signed_cert_timestamps: bool,
    pub record_size_limit: Option<u16>,
    pub psk_skip_session_ticket: bool,
    pub key_shares_limit: Option<u8>,
    pub psk_dhe_ke: bool,
    pub renegotiation: bool,
    pub delegated_credentials: Option<Cow<'static, str>>,
    pub cipher_list: Option<Cow<'static, str>>,
    pub curves: Option<Cow<'static, [SslCurve]>>,
    pub sigalgs_list: Option<Cow<'static, str>>,
    pub cert_compression_algorithm: Option<Cow<'static, [CertCompressionAlgorithm]>>,
    pub extension_permutation_indices: Option<Cow<'static, [u8]>>,
    pub aes_hw_override: Option<bool>,
    pub random_aes_hw_override: bool,

}
Expand description

Configuration settings for TLS connections.

This struct defines various parameters to fine-tune the behavior of a TLS connection, including the root certificate store, certificate verification, ALPN protocols, and more.

Fields§

§cert_store: Option<Cow<'static, CertStore>>

The root certificate store. Default use system’s native certificate store.

§cert_verification: bool

SSL may authenticate either endpoint with an X.509 certificate. Typically this is used to authenticate the server to the client. These functions configure certificate verification.

§tls_sni: bool

The server_name extension (RFC 3546) allows the client to advertise the name of the server it is connecting to. This is used in virtual hosting deployments to select one of several certificates on a single IP. Only the host_name name type is supported.

§verify_hostname: bool

Hostname verification.

§alpn_protos: AlpnProtos

The ALPN extension RFC 7301 allows negotiating different application-layer protocols over a single port.

Usage Example:

  • Commonly used to negotiate HTTP/2.
  • Default use all protocols (HTTP/1.1/HTTP/2/HTTP/3).
§alps_protos: Option<AlpsProtos>

The ALPS extension (draft-vvv-tls-alps) enables exchanging application-layer settings during the TLS handshake.

This is specifically for applications negotiated via ALPN.

§alps_use_new_codepoint: bool

Switching to a new codepoint for TLS ALPS extension to allow adding more data in the ACCEPT_CH HTTP/2 and HTTP/3 frame. The ACCEPT_CH HTTP/2 frame with the existing TLS ALPS extension had an arithmetic overflow bug in Chrome ALPS decoder. It limits the capability to add more than 128 bytes data (in theory, the problem range is 128 bytes to 255 bytes) to the ACCEPT_CH frame.

§session_ticket: bool

Session Tickets (RFC 5077) allow session resumption without the need for server-side state.

This mechanism works as follows:

  1. The server maintains a secret ticket key.
  2. The server sends the client opaque encrypted session parameters, referred to as a ticket.
  3. When resuming the session, the client sends the ticket to the server.
  4. The server decrypts the ticket to recover the session state.

Reference: See RFC 5077 for further details on session tickets.

§min_tls_version: Option<TlsVersion>

Sets the minimum protocol version for ssl to version.

§max_tls_version: Option<TlsVersion>

Sets the maximum protocol version for ssl to version.

§pre_shared_key: bool

Connections can be configured with PSK (Pre-Shared Key) cipher suites.

PSK cipher suites use out-of-band pre-shared keys for authentication, instead of relying on certificates.

Reference: See RFC 4279 for details.

§enable_ech_grease: bool

Configures whether the client will send a GREASE ECH extension when no supported ECHConfig is available.

GREASE (Generate Random Extensions And Sustain Extensibility) helps prevent ossification of the TLS protocol by randomly introducing unknown extensions into the handshake.

ECH (Encrypted Client Hello) improves privacy by encrypting sensitive handshake information, such as the Server Name Indication (SNI).

When no valid ECHConfig is present, enabling this setting allows the client to still send a GREASE extension for compatibility purposes.

Reference: See RFC 8701 for GREASE details.

§permute_extensions: Option<bool>

Configures whether ClientHello extensions should be permuted.

Note: This is gated to non-fips because the fips feature builds with a separate version of BoringSSL which doesn’t yet include these APIs. Once the submoduled fips commit is upgraded, these gates can be removed.

§grease_enabled: Option<bool>

Set’s whether the context should enable GREASE.

§enable_ocsp_stapling: bool

Enables OCSP stapling on all client SSL handshakes.

§enable_signed_cert_timestamps: bool

Sets the list of signed certificate timestamps that is sent to clients that request it

§record_size_limit: Option<u16>

Sets the context’s record size limit.

§psk_skip_session_ticket: bool

PSK session ticket skip.

§key_shares_limit: Option<u8>

Sets the context’s key shares length limit.

§psk_dhe_ke: bool

Sets PSK with (EC)DHE key establishment (psk_dhe_ke) Reference

§renegotiation: bool

SSL Renegotiation is enabled by default on many servers. This setting allows the client to send a renegotiation_info extension

§delegated_credentials: Option<Cow<'static, str>>

Delegated Credentials (RFC 9345) provide a mechanism for TLS 1.3 endpoints to issue temporary credentials for authentication using their existing certificate.

Once issued, delegated credentials cannot be revoked. To minimize potential damage if the credential’s secret key is compromised, these credentials are valid only for a short duration (e.g., days, hours, or minutes).

Reference: See RFC 9345 for details.

§cipher_list: Option<Cow<'static, str>>

BoringSSL uses a mini-language to configure cipher suites.

This configuration language manages two ordered lists:

  • Enabled Ciphers: An ordered list of currently active cipher suites.
  • Disabled but Available Ciphers: An ordered list of cipher suites that are currently inactive but can be enabled.

Initially, all ciphers are disabled and follow a default ordering.

Developers can use this mini-language to fine-tune which ciphers are enabled, their priority, and which ones are explicitly disabled.

Reference: See BoringSSL Cipher Suite Documentation for details.

§curves: Option<Cow<'static, [SslCurve]>>

Sets the context’s supported curves.

§sigalgs_list: Option<Cow<'static, str>>

Sets the context’s supported signature algorithms.

§cert_compression_algorithm: Option<Cow<'static, [CertCompressionAlgorithm]>>

Certificates in TLS 1.3 can be compressed RFC 8879.

§extension_permutation_indices: Option<Cow<'static, [u8]>>

Sets the context’s extension permutation indices.

§aes_hw_override: Option<bool>

Sets whether the aes hardware override should be enabled. Only for ECH extension

§random_aes_hw_override: bool

Sets whether the random aes hardware override should be enabled. Only for ECH extension

Implementations§

Source§

impl TlsConfig

Source

pub fn builder() -> TlsConfigBuilder<((), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), (), ())>

Create a builder for building TlsConfig. On the builder, call .cert_store(...)(optional), .cert_verification(...)(optional), .tls_sni(...)(optional), .verify_hostname(...)(optional), .alpn_protos(...)(optional), .alps_protos(...)(optional), .alps_use_new_codepoint(...)(optional), .session_ticket(...)(optional), .min_tls_version(...)(optional), .max_tls_version(...)(optional), .pre_shared_key(...)(optional), .enable_ech_grease(...)(optional), .permute_extensions(...)(optional), .grease_enabled(...)(optional), .enable_ocsp_stapling(...)(optional), .enable_signed_cert_timestamps(...)(optional), .record_size_limit(...)(optional), .psk_skip_session_ticket(...)(optional), .key_shares_limit(...)(optional), .psk_dhe_ke(...)(optional), .renegotiation(...)(optional), .delegated_credentials(...)(optional), .cipher_list(...)(optional), .curves(...)(optional), .sigalgs_list(...)(optional), .cert_compression_algorithm(...)(optional), .extension_permutation_indices(...)(optional), .aes_hw_override(...)(optional), .random_aes_hw_override(...)(optional) to set the values of the fields. Finally, call .build() to create the instance of TlsConfig.

Trait Implementations§

Source§

impl Debug for TlsConfig

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for TlsConfig

====== impl TlsConfig ======

Source§

fn default() -> Self

Returns the “default value” for a type. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> Pointable for T

Source§

const ALIGN: usize

The alignment of pointer.
Source§

type Init = T

The type for initializers.
Source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
Source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
Source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
Source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more