Skip to main content

Module tls

Module tls 

Source
Expand description

Inbound TLS termination (Phase 12).

Basic, cert-from-file termination is OPEN core (BOUNDARY.md §3.2): it makes a single node self-sufficient for https://. Cert management at scale — ACME/Let’s Encrypt, rotation, centralized multi-node certs, mTLS with managed PKI — is ENTERPRISE (governance/scale) and plugs in behind the TlsCertSource seam, the §4 boundary pattern: the OPEN tier ships FileCertSource; an enterprise crate provides an at-scale impl of the SAME trait.

ALPN advertises h2 + http/1.1 (config-driven) so an h2-capable client (e.g. gRPC-over-TLS, a later phase) negotiates HTTP/2 while an h1-only client falls back cleanly — both then flow through the SAME protocol-neutral handle().

No silent downgrade: when TLS is enabled the listener serves ONLY TLS. A required cert that cannot be loaded is a fatal boot error (acceptor_from_config returns Err, the proxy refuses to bind) — never a fallback to cleartext on the same port.

Structs§

FileCertSource
OPEN cert source: read a PEM certificate chain + private key from two files.
TlsMaterial
Server certificate material: a leaf-first chain + its private key, as rustls DER types.

Enums§

TlsError
Why building the TLS terminator failed. All variants are fatal at boot (a required TLS that cannot be built must stop the proxy, never degrade to cleartext).

Traits§

TlsCertSource
Source of the server’s TLS certificate material — the §4 boundary seam. FileCertSource is the OPEN implementation; ACME/rotation/managed-PKI are enterprise implementations of this same trait (the core depends only on the trait, never on the at-scale impl).

Functions§

acceptor_from_config
Build the TlsAcceptor from config with the default OPEN FileCertSource. Thin wrapper over acceptor_from_source with no injected source.
acceptor_from_source
Build the TlsAcceptor with an injected cert source, or Ok(None) when TLS is off. tls.enabled (operator switch) and tls.alpn still come from config; the source only governs cert provenance — when Some, the file paths in config are ignored, so an enterprise ACME/managed-PKI source needs no cert_path/key_path. None falls back to the OPEN FileCertSource. An enabled-but-unbuildable terminator is Err → the proxy fails to bind (fatal boot, no silent cleartext fallback).
build_server_config
Build a rustls ServerConfig from a cert source + ALPN list. Uses the ring crypto provider explicitly (no process-global install_default, so multiple configs — e.g. in tests — never race over the default).