The `rcgen` crate has cut a 0.11.2 release that includes the CRL
functionality we were using a Cargo patch to depend on previously. This
commit removes the patch, fixes one breakage in the server acceptor
example, and updates the `Cargo.toml` and `Cargo.lock` files.
This is an example that builds a mostly-unchanged rustls example
(simpleclient), but only using crypto from the rust-crypto project
and elsewhere.
This is intended to be minimalistic, and not a complete replacement
for *ring*.
It implements:
- TLS1.3 TLS13_CHACHA20_POLY1305_SHA256 cipher suite.
- TLS1.2 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cipher suite.
- X25519 key exchange.
- RSA-PSS-SHA256 and RSA-PKCS1-SHA256 signature verification for
verifying the server, integrated into the webpki crate.
- random generation using `rand_core`.
This means it can fetch www.rust-lang.org.
TLS1.2 is not strictly necessary for this server, but serves to
demonstrate that part of the API.
This example has two main purposes:
1. It shows how to use the `Acceptor` API to customize a `ServerConfig`
per-connection, possibly using information from the received
`ClientHello`.
2. It shows how to load CRL information per-connection to ensure the
freshest CRL content is used when validating client certificate
revocation status.
Additionally this example uses `rcgen` to generate its own test PKI,
potentially being a helpful reference for folks that want to do similar
without needing to manually construct certs with `openssl`.
To simulate CRL updates this example program spawns a background thread
that periodically replaces the CRL content, flipping back and forth
between a CRL that lists the client certificate as revoked, and a CRL
that has no revoked certificates.
Using `tlsclient-mio` (or another TLS client program) with the generated
client certificate/key you can observe the CRL updates happening by
connecting to the server, waiting a little bit, and then connecting
again. The result will differ based on the CRL update:
```
$ cargo run --bin tlsclient-mio -- --auth-certs ./client-cert.pem --auth-key ./client-key.pem --cafile ca-cert.pem --port 4443 --http localhost
TLS error: AlertReceived(CertificateRevoked)
Connection closed
<waiting>
$ cargo run --bin tlsclient-mio -- --auth-certs ./client-cert.pem --auth-key ./client-key.pem --cafile ca-cert.pem --port 4443 --http localhost
EOF
Connection closed
```
webpki 0.22.0 has breaking API changes. The most notable change is the
renaming of some types to conform to Rust naming conventions, in support
of Rustls's recent similar effort.
- rustls (the library) now lives in rustls/
- the mio examples/tests continue to live in rustls-mio, but
are built by (eg) `cargo test` in the root of the repo.
Fuchsia doesn't support yet mio, and there is unfortunately no
way to run the rustls on Fuchsia as the crate is currently setup.
Unfortunately there is no way to make dev-dependencies optional (see
https://github.com/rust-lang/cargo/issues/1596), so this patch
migrates the examples into a subcrate so we can compile the
rustls tests without mio.
When cross compiling to operating systems like Fuchsia,
it's a little complicated to build the test binaries,
copy them and the test-ca files to the target, and make
sure that everything is executed with the correct working
directory. This PR makes it much easier to test rustls
by embedding the test-ca files directly into the test
binaries, which now can recreate a temporary test-ca directory
as needed. This allows us to just copy the executable over,
which really simplifies testing.
*ring* 0.13.0 will be released soon. There have been *many* changes
between *ring* 0.13.0-alpha and 0.13.0-alpha2 so there will be a
pre-release testing period.
- bogo_shim needs quic feature
- provide/check quic transport params in bogo_shim
- reject servers that handshake at TLS1.2, but include a quic transport
params extension.
- don't expose quic transport params extension for TLS1.2 clients.
These last two match BoringSSL.