diff options
Diffstat (limited to 'ext/tls/lib.rs')
| -rw-r--r-- | ext/tls/lib.rs | 47 |
1 files changed, 38 insertions, 9 deletions
diff --git a/ext/tls/lib.rs b/ext/tls/lib.rs index 323946601..3f276fcd0 100644 --- a/ext/tls/lib.rs +++ b/ext/tls/lib.rs @@ -157,11 +157,23 @@ pub fn create_default_root_cert_store() -> RootCertStore { root_cert_store } +pub enum SocketUse { + /// General SSL: No ALPN + GeneralSsl, + /// HTTP: h1 and h2 + Http, + /// http/1.1 only + Http1Only, + /// http/2 only + Http2Only, +} + pub fn create_client_config( root_cert_store: Option<RootCertStore>, ca_certs: Vec<Vec<u8>>, unsafely_ignore_certificate_errors: Option<Vec<String>>, client_cert_chain_and_key: Option<(String, String)>, + socket_use: SocketUse, ) -> Result<ClientConfig, AnyError> { let maybe_cert_chain_and_key = if let Some((cert_chain, private_key)) = client_cert_chain_and_key { @@ -184,7 +196,7 @@ pub fn create_client_config( // However it's not really feasible to deduplicate it as the `client_config` instances // are not type-compatible - one wants "client cert", the other wants "transparency policy // or client cert". - let client = + let mut client = if let Some((cert_chain, private_key)) = maybe_cert_chain_and_key { client_config .with_client_auth_cert(cert_chain, private_key) @@ -193,6 +205,7 @@ pub fn create_client_config( client_config.with_no_client_auth() }; + add_alpn(&mut client, socket_use); return Ok(client); } @@ -220,18 +233,34 @@ pub fn create_client_config( root_cert_store }); - let client = if let Some((cert_chain, private_key)) = maybe_cert_chain_and_key - { - client_config - .with_client_auth_cert(cert_chain, private_key) - .expect("invalid client key or certificate") - } else { - client_config.with_no_client_auth() - }; + let mut client = + if let Some((cert_chain, private_key)) = maybe_cert_chain_and_key { + client_config + .with_client_auth_cert(cert_chain, private_key) + .expect("invalid client key or certificate") + } else { + client_config.with_no_client_auth() + }; + add_alpn(&mut client, socket_use); Ok(client) } +fn add_alpn(client: &mut ClientConfig, socket_use: SocketUse) { + match socket_use { + SocketUse::Http1Only => { + client.alpn_protocols = vec!["http/1.1".into()]; + } + SocketUse::Http2Only => { + client.alpn_protocols = vec!["h2".into()]; + } + SocketUse::Http => { + client.alpn_protocols = vec!["h2".into(), "http/1.1".into()]; + } + SocketUse::GeneralSsl => {} + }; +} + pub fn load_certs( reader: &mut dyn BufRead, ) -> Result<Vec<Certificate>, AnyError> { |