gemini - kennedy.gemi.dev

💾 Archived View for 80h.dev › projects › gemserv › files › src › tls.rs.gemini captured on 2022-06-12 at 00:48:50. Gemini links have been rewritten to link to archived content

-=-=-=-=-=-=-

01 extern crate openssl;

02 extern crate tokio_openssl;

03 use std::collections::HashMap;

05 use openssl::error::ErrorStack;

06 use openssl::ssl::NameType;

07 use openssl::ssl::SniError;

08 use openssl::ssl::SslContextBuilder;

09 use openssl::ssl::SslVersion;

10 use openssl::ssl::SslVerifyMode;

11 use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod};

13 use crate::config;

15 pub fn acceptor_conf(cfg: config::Config) -> Result<SslAcceptor, ErrorStack> {

16 let mut acceptor = SslAcceptor::mozilla_intermediate(SslMethod::tls_server())?;

17 acceptor.set_min_proto_version(Some(SslVersion::TLS1_2))?;

18 let mut map = HashMap::new();

19 let mut num = 1;

20 for server in cfg.server.iter() {

21 let mut ctx = SslContextBuilder::new(SslMethod::tls_server())?;

22 ctx.set_verify(SslVerifyMode::NONE);

23 match ctx.set_private_key_file(&server.key, SslFiletype::PEM) {

24 Ok(c) => c,

25 Err(e) => {

26 log::error!("Error: Can't load key file");

27 return Err(e);

28 }

29 };

30 match ctx.set_certificate_chain_file(&server.cert) {

31 Ok(c) => c,

32 Err(e) => {

33 log::error!("Error: Can't load cert file");

34 return Err(e);

35 }

36 };

37 let ctx = ctx.build();

38 map.insert(server.hostname.clone(), ctx.clone());

39 if num == 1 {

40 map.insert("default".to_string(), ctx);

41 num += 1;

42 }

43 }

45 let ctx_builder = &mut *acceptor;

46 ctx_builder.set_servername_callback(move |ssl, _alert| -> Result<(), SniError> {

47 ssl.set_ssl_context({

48 let hostname = ssl.servername(NameType::HOST_NAME);

49 if let Some(host) = hostname {

50 if let Some(ctx) = map.get(host) {

51 &ctx

52 } else {

53 &map.get(&"default".to_string()).expect("Can't get default")

54 }

55 } else {

56 &map.get(&"default".to_string()).expect("Can't get default")

57 }

58 })

59 .expect("Can't get sni");

60 // for client certs we don't have anything to verify right now?

61 ssl.set_verify_callback(SslVerifyMode::PEER, |_ver, _store| -> bool {

62 return true

63 });

65 Ok(())

66 });

68 Ok(acceptor.build())

69 }