This removes a requirement that an implementation of ClientCertVerifier
produce a fresh Vec of acceptable root Subjects on each call. Instead,
the ClientCertVerifier can store a list of acceptable root subjects and
return references to it, which seems like the most common use case by far.
For client_auth_mandatory and client_auth_root_subjects, it was possible
to return None to abort the connection. With the removal of the `sni`
input parameter, this no longer makes sense, so remove the
Option-wrapping of these return values.
Previously the example directories weren't being tested with
`--no-default-features`, letting bitrot affect those configurations.
This commit includes those directories in the `--no-default-features`
task that run `cargo test`.
This commit simplifies the examples sub project to make logging
mandatory instead of an optional feature flag.
In general this is easier to reason about for small example code, and it
resolves a build error that was present when building w/
`--no-default-features` due to the unconditional use of the `log` crate.
Previously this was removed when adding `Arc<dyn StdError>` as an enum
field for CertificateError, which made it impossible to automatically
derive PartialEq for the whole enum. Trait objects (dyn Trait) don't
implement PartialEq.
However, we can get back PartialEq on the whole Error struct by manually
implementing it for CertificateError, considering `Other` values to
never be equal.
Users that are iterating over a pile of root certificates (e.g. from
their system truststore) may call `RootCertStore::add` without realizing
that it will reject invalid certificates. These users should prefer the
more permissive `add_parseable_certificates`.
This commit introduces a rustdoc pointer from `add` to
`add_parseable_certificates` to hopefully make this more discoverable.
These subvariants were incidentally making enums from `internals` part
of the public API:
- CertificateStatusType
- KeyUpdateRequest
- ECCurveType
But these enums don't add much information. For instance,
CertificateStatusType only has one valid value (OCSP), and all other
values would be Unknown(u8). Reporting that level of detail for the
unexpected response probably belongs more in a byte-by-byte protocol
debugger than the workaday Error type.
Also, rename UnsupportedCurve to UnsupportedCurveType to be slightly
more accurate.
When the `quic::Connection` type was split out from the broader TLS
types consumers lost the ability to call `export_keying_material` to
achieve RFC 5705 keying material export. This commit adds the
`export_keying_material` fn to the `quic::Connection` type to restore
that functionality.
After splitting up the quic server connection types consumers lost the
ability to dig out the server name from the SNI extension the server
received. This commit adds the `server_name` function to
`quic::ServerConnection` to restore that ability.
The documentation retains mention of "server name indication" (SNI) for
folks that search the documentation with that more specific technical
term. For users not steeped in the deeper lore of TLS the new name
will be easier to find/understand.