Struct rustls::ServerConfig

source · [−]

pub struct ServerConfig {
    pub ciphersuites: Vec<&'static SupportedCipherSuite>,
    pub ignore_client_order: bool,
    pub mtu: Option<usize>,
    pub session_storage: Arc<dyn StoresServerSessions + Send + Sync>,
    pub ticketer: Arc<dyn ProducesTickets>,
    pub cert_resolver: Arc<dyn ResolvesServerCert>,
    pub alpn_protocols: Vec<Vec<u8>>,
    pub versions: Vec<ProtocolVersion>,
    pub key_log: Arc<dyn KeyLog>,
    /* private fields */
}

Expand description

Common configuration for a set of server sessions.

Making one of these can be expensive, and should be once per process rather than once per connection.

Fields

ciphersuites: Vec<&'static SupportedCipherSuite>

List of ciphersuites, in preference order.

ignore_client_order: bool

Ignore the client’s ciphersuite order. Instead, choose the top ciphersuite in the server list which is supported by the client.

mtu: Option<usize>

Our MTU. If None, we don’t limit TLS message sizes.

session_storage: Arc<dyn StoresServerSessions + Send + Sync>

How to store client sessions.

ticketer: Arc<dyn ProducesTickets>

How to produce tickets.

cert_resolver: Arc<dyn ResolvesServerCert>

How to choose a server cert and key.

alpn_protocols: Vec<Vec<u8>>

Protocol names we support, most preferred first. If empty we don’t do ALPN at all.

versions: Vec<ProtocolVersion>

Supported protocol versions, in no particular order. The default is all supported versions.

key_log: Arc<dyn KeyLog>

How to output key material for debugging. The default does nothing.

Implementations

source

impl ServerConfig

source

pub fn new(client_cert_verifier: Arc<dyn ClientCertVerifier>) -> ServerConfig

Make a ServerConfig with a default set of ciphersuites, no keys/certificates, and no ALPN protocols. Session resumption is enabled by storing up to 256 recent sessions in memory. Tickets are disabled.

Publicly-available web servers on the internet generally don’t do client authentication; for this use case, client_cert_verifier should be a NoClientAuth. Otherwise, use AllowAnyAuthenticatedClient or another implementation to enforce client authentication.

We don’t provide a default for client_cert_verifier because the safest default, requiring client authentication, requires additional configuration that we cannot provide reasonable defaults for.

source

pub fn set_persistence(
&mut self,
persist: Arc<dyn StoresServerSessions + Send + Sync>
)

Sets the session persistence layer to persist.

source

pub fn set_single_cert(
 &mut self,
 cert_chain: Vec<Certificate>,
 key_der: PrivateKey
) -> Result<(), TLSError>

Sets a single certificate chain and matching private key. This certificate and key is used for all subsequent connections, irrespective of things like SNI hostname.

Note that the end-entity certificate must have the Subject Alternative Name extension to describe, e.g., the valid DNS name. The commonName field is disregarded.

cert_chain is a vector of DER-encoded certificates. key_der is a DER-encoded RSA or ECDSA private key.

This function fails if key_der is invalid.

source

pub fn set_single_cert_with_ocsp_and_sct(
 &mut self,
 cert_chain: Vec<Certificate>,
 key_der: PrivateKey,
 ocsp: Vec<u8>,
 scts: Vec<u8>
) -> Result<(), TLSError>

Sets a single certificate chain, matching private key and OCSP response. This certificate and key is used for all subsequent connections, irrespective of things like SNI hostname.

cert_chain is a vector of DER-encoded certificates. key_der is a DER-encoded RSA or ECDSA private key. ocsp is a DER-encoded OCSP response. Ignored if zero length. scts is an SignedCertificateTimestampList encoding (see RFC6962) and is ignored if empty.

This function fails if key_der is invalid.

source