Struct TlsConfig 

pub struct TlsConfig {
    pub sni: Option<String>,
    pub cert_file: Option<PathBuf>,
    pub key_file: Option<PathBuf>,
    pub managed: Option<ManagedSpec>,
    pub enable_zero_rtt: bool,
    pub client_auth: Option<ClientAuthConfig>,
    pub ocsp_path: Option<PathBuf>,
    pub ocsp_fetch: bool,
}

Listener-side TLS termination config — paths to the cert chain + private key in PEM, plus an optional SNI hostname this cert serves.

sni: None marks the cert as the listener’s default — used when the ClientHello has no SNI extension, or when the SNI doesn’t match any of the listener’s Some(_) entries. A listener has at most one default cert.

SNI hostnames are normalised to ASCII-lowercase at every ingest boundary per spec/crates/engine-tls.md § SNI peek (L4, no decrypt); comparison against rustls’s already-lowercased ClientHello::server_name() is then byte-for-byte.

Fields

sni: Option<String>

cert_file: Option<PathBuf>

Path to the leaf+chain PEM. Required when the cert is operator- supplied (static); absent when the cert comes from managed. Per-rule validation enforces “exactly one of static paths or managed”; lower-pass branches on the result.

key_file: Option<PathBuf>

Path to the private key PEM. Same lifecycle as cert_file.

managed: Option<ManagedSpec>

ACME-managed cert source. When set, cert_file / key_file must be absent. The compiler routes this rule into the listener’s managed_snis table; the engine’s ManagedCertPopulator supplies the actual cert.

enable_zero_rtt: bool

Listener-side TLS 1.3 0-RTT opt-in. Required on every rule that carries a tls block; rules sharing one listener must agree on this value (lower aggregates them). See spec/crates/engine-tls.md § TLS 1.3 0-RTT (early data).

client_auth: Option<ClientAuthConfig>

Listener-side mTLS — per spec/crates/engine-tls.md § Client certificate verification (mTLS on listener). Per-rule input; the lower pass aggregates each rule’s client_auth into one ClientAuthSpec per listener address (rules on the same listener must agree, else compile error). None keeps the listener at ClientAuth::None.

ocsp_path: Option<PathBuf>

Path to a pre-fetched OCSP response (DER) on disk. The populator reads this file at every refresh and stages the bytes into the resolver. Useful for HTTPS-only OCSP responders (which vane does not fetch from — see spec/crates/engine-tls.md § OCSP stapling) and for air-gapped deployments where the operator cron-runs openssl ocsp themselves. Mutually exclusive with Self::ocsp_fetch.

ocsp_fetch: bool

When true, the populator extracts the OCSP responder URL from the cert’s AIA extension and fetches the response over HTTP at refresh time. HTTP-only by policy (per spec/crates/engine-tls.md § OCSP stapling). Mutually exclusive with Self::ocsp_path.

Implementations

impl TlsConfig

pub const fn is_managed(&self) -> bool

true when this tls block routes through ACME, not static disk paths. Inverse of Self::is_static.

pub const fn is_static(&self) -> bool

true when both cert_file and key_file are present and managed is absent. The lower pass guarantees this for every TlsConfig it stores in ListenerTlsSpec::default / ListenerTlsSpec::sni_certs, so static-cert consumers can rely on the static-paths invariant downstream.

pub fn static_paths(&self) -> Option<(&Path, &Path)>

Static cert paths if this is a static config. The lower pass guarantees (cert_file, key_file) are both Some whenever managed is None, so this returns Some for every post-lower static TlsConfig.

pub fn validate(&self) -> Result<(), Error>

Per-rule pre-lower validation per spec/crates/engine-acme.md § Configuration schema and spec/crates/engine-tls.md § Upstream-side TLS:

1. Exactly one of (cert_file ∧ key_file) or managed is present.
2. When managed is set, every required ManagedSpec invariant holds: agree_tos == true, non-empty contact, non-empty san, tls.sni ∈ san, no wildcard SAN unless dns-01, dns-01 ⇒ dns_provider, renew_before parses to a positive Duration.

Errors

Returns Error::compile with a single sentence pointing at the offending field. The error string is operator-readable — the vane compile UI surfaces it verbatim.

Trait Implementations

impl Clone for TlsConfig

fn clone(&self) -> TlsConfig

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for TlsConfig

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for TlsConfig

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl PartialEq for TlsConfig

fn eq(&self, other: &TlsConfig) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for TlsConfig

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl Eq for TlsConfig

impl StructuralPartialEq for TlsConfig