Struct rustls::ConfigBuilder[−][src]

pub struct ConfigBuilder<Side: ConfigSide, State> { /* fields omitted */ }

Expand description

Building a ServerConfig or ClientConfig in a linker-friendly and complete way.

Linker-friendly: meaning unused cipher suites, protocol versions, key exchange mechanisms, etc. can be discarded by the linker as they’ll be unreferenced.

Complete: the type system ensures all decisions required to run a server or client have been made by the time the process finishes.

Example, to make a ServerConfig:

ServerConfig::builder()
    .with_safe_default_cipher_suites()
    .with_safe_default_kx_groups()
    .with_safe_default_protocol_versions()
    .unwrap()
    .with_no_client_auth()
    .with_single_cert(certs, private_key)
    .expect("bad certificate/key");

This may be shortened to:

ServerConfig::builder()
    .with_safe_defaults()
    .with_no_client_auth()
    .with_single_cert(certs, private_key)
    .expect("bad certificate/key");

To make a ClientConfig:

ClientConfig::builder()
    .with_safe_default_cipher_suites()
    .with_safe_default_kx_groups()
    .with_safe_default_protocol_versions()
    .unwrap()
    .with_root_certificates(root_certs, trusted_ct_logs)
    .with_single_cert(certs, private_key)
    .expect("bad certificate/key");

This may be shortened to:

ClientConfig::builder()
    .with_safe_defaults()
    .with_root_certificates(root_certs, trusted_ct_logs)
    .with_no_client_auth();

The types used here fit together like this:

Call ClientConfig::builder() or ServerConfig::builder() to initialize a builder.
You must make a decision on which cipher suites to use, typically by calling ConfigBuilder<S, WantsCipherSuites>::with_safe_default_cipher_suites().
Now you must make a decision on key exchange groups: typically by calling ConfigBuilder<S, WantsKxGroups>::with_safe_default_kx_groups().
Now you must make a decision on which protocol versions to support, typically by calling ConfigBuilder<S, WantsVersions>::with_safe_default_protocol_versions().
Now see ConfigBuilder<ClientConfig, WantsVerifier> or ConfigBuilder<ServerConfig, WantsVerifier> for further steps.

Implementations

[src]

impl<S: ConfigSide> ConfigBuilder<S, WantsCipherSuites>

[src]

pub fn with_safe_defaults(self) -> ConfigBuilder<S, WantsVerifier>

Start side-specific config with defaults for underlying cryptography.

These are safe defaults, useful for 99% of applications.

[src]

pub fn with_cipher_suites(
    self, 
    cipher_suites: &[SupportedCipherSuite]
) -> ConfigBuilder<S, WantsKxGroups>

Choose a specific set of cipher suites.

[src]

pub fn with_safe_default_cipher_suites(self) -> ConfigBuilder<S, WantsKxGroups>

Choose the default set of cipher suites.

Note that this default provides only high-quality suites: there is no need to filter out low-, export- or NULL-strength cipher suites: rustls does not implement these.

[src]

impl<S: ConfigSide> ConfigBuilder<S, WantsKxGroups>

[src]

pub fn with_kx_groups(
    self, 
    kx_groups: &[&'static SupportedKxGroup]
) -> ConfigBuilder<S, WantsVersions>

Choose a specific set of key exchange groups.

[src]

pub fn with_safe_default_kx_groups(self) -> ConfigBuilder<S, WantsVersions>

Choose the default set of key exchange groups.

This is a safe default: rustls doesn’t implement any poor-quality groups.

[src]

impl<S: ConfigSide> ConfigBuilder<S, WantsVersions>

[src]

pub fn with_safe_default_protocol_versions(
    self
) -> Result<ConfigBuilder<S, WantsVerifier>, Error>

Accept the default protocol versions: both TLS1.2 and TLS1.3 are enabled.

[src]

pub fn with_protocol_versions(
    self, 
    versions: &[&'static SupportedProtocolVersion]
) -> Result<ConfigBuilder<S, WantsVerifier>, Error>

Use a specific set of protocol versions.

[src]

impl ConfigBuilder<ClientConfig, WantsVerifier>

[src]

pub fn with_root_certificates(
    self, 
    root_store: RootCertStore, 
    ct_logs: &'static [&'static Log<'_>]
) -> ConfigBuilder<ClientConfig, WantsClientCert>

Choose how to verify client certificates.

[src]

pub fn with_custom_certificate_verifier(
    self, 
    verifier: Arc<dyn ServerCertVerifier>
) -> ConfigBuilder<ClientConfig, WantsClientCert>

Set a custom certificate verifier.

[src]

impl ConfigBuilder<ClientConfig, WantsClientCert>

[src]

pub fn with_single_cert(
    self, 
    cert_chain: Vec<Certificate>, 
    key_der: PrivateKey
) -> Result<ClientConfig, Error>

Sets a single certificate chain and matching private key for use in client authentication.

cert_chain is a vector of DER-encoded certificates. key_der is a DER-encoded RSA, ECDSA, or Ed25519 private key.

This function fails if key_der is invalid.

[src]

pub fn with_no_client_auth(self) -> ClientConfig

Do not support client auth.

[src]

pub fn with_client_cert_resolver(
    self, 
    client_auth_cert_resolver: Arc<dyn ResolvesClientCert>
) -> ClientConfig

Sets a custom ResolvesClientCert.

[src]

impl ConfigBuilder<ServerConfig, WantsVerifier>

[src]

pub fn with_client_cert_verifier(
    self, 
    client_cert_verifier: Arc<dyn ClientCertVerifier>
) -> ConfigBuilder<ServerConfig, WantsServerCert>

Choose how to verify client certificates.

[src]

pub fn with_no_client_auth(self) -> ConfigBuilder<ServerConfig, WantsServerCert>

Disable client authentication.

[src]

impl ConfigBuilder<ServerConfig, WantsServerCert>

[src]

pub fn with_single_cert(
    self, 
    cert_chain: Vec<Certificate>, 
    key_der: PrivateKey
) -> Result<ServerConfig, Error>

Sets a single certificate chain and matching private key. This certificate and key is used for all subsequent connections, irrespective of things like SNI hostname.

Note that the end-entity certificate must have the Subject Alternative Name extension to describe, e.g., the valid DNS name. The commonName field is disregarded.

cert_chain is a vector of DER-encoded certificates. key_der is a DER-encoded RSA, ECDSA, or Ed25519 private key.

This function fails if key_der is invalid.

[src]

pub fn with_single_cert_with_ocsp_and_sct(
    self, 
    cert_chain: Vec<Certificate>, 
    key_der: PrivateKey, 
    ocsp: Vec<u8>, 
    scts: Vec<u8>
) -> Result<ServerConfig, Error>

Sets a single certificate chain, matching private key, OCSP response and SCTs. This certificate and key is used for all subsequent connections, irrespective of things like SNI hostname.

cert_chain is a vector of DER-encoded certificates. key_der is a DER-encoded RSA, ECDSA, or Ed25519 private key. ocsp is a DER-encoded OCSP response. Ignored if zero length. scts is an SignedCertificateTimestampList encoding (see RFC6962) and is ignored if empty.

This function fails if key_der is invalid.

[src]

pub fn with_cert_resolver(
    self, 
    cert_resolver: Arc<dyn ResolvesServerCert>
) -> ServerConfig

Sets a custom ResolvesServerCert.

Trait Implementations

[src]

impl<Side: Clone + ConfigSide, State: Clone> Clone for ConfigBuilder<Side, State>

[src]

fn clone(&self) -> ConfigBuilder<Side, State>

Returns a copy of the value. Read more

1.0.0[src]

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more

Auto Trait Implementations

impl<Side, State> RefUnwindSafe for ConfigBuilder<Side, State> where
    Side: RefUnwindSafe,
    State: RefUnwindSafe,

impl<Side, State> Send for ConfigBuilder<Side, State> where
    Side: Send,
    State: Send,

impl<Side, State> Sync for ConfigBuilder<Side, State> where
    Side: Sync,
    State: Sync,

impl<Side, State> Unpin for ConfigBuilder<Side, State> where
    Side: Unpin,
    State: Unpin,

impl<Side, State> UnwindSafe for ConfigBuilder<Side, State> where
    Side: UnwindSafe,
    State: UnwindSafe,

Blanket Implementations

[src]

impl<T> Any for T where
    T: 'static + ?Sized,

[src]

pub fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more

[src]

impl<T> Borrow<T> for T where
    T: ?Sized,

[src]

pub fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more

[src]

impl<T> BorrowMut<T> for T where
    T: ?Sized,

[src]

pub fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more

[src]

impl<T> From<T> for T

[src]

pub fn from(t: T) -> T

Performs the conversion.

[src]

impl<T, U> Into<U> for T where
    U: From<T>,

[src]

pub fn into(self) -> U

Performs the conversion.

[src]

impl<T> ToOwned for T where
    T: Clone,

type Owned = T

The resulting type after obtaining ownership.

[src]

pub fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more

[src]

pub fn clone_into(&self, target: &mut T)

🔬 This is a nightly-only experimental API. (toowned_clone_into)

recently added

Uses borrowed data to replace owned data, usually by cloning. Read more

[src]

impl<T, U> TryFrom<U> for T where
    U: Into<T>,

type Error = Infallible

The type returned in the event of a conversion error.

[src]

pub fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.

[src]

impl<T, U> TryInto<U> for T where
    U: TryFrom<T>,

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.

[src]

pub fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.