These enums (AlertDescription, ContentType, and HandshakeType) were
previously only available as part of the private API. Eight months ago
we added a public reexport of their names, but did not remove the
private version to avoid semver breakage.
Now that we have a semver-incompatible version coming up we can move
these fully to the public API.
This can still be matched against, so move simple tests
from `assert_eq!(..,)` to `assert!(matches!(...))`.
In complex tests, prefer to have test failures that quote the
stringified errors; there's a helper function `assert_debug_eq` that
does that.
This also:
- corrects use of hs::incompatible for client certificate verification
failure.
- moves sni varying across hello retries to be a PeerMisbehaved, since
that is explicitly disallowed by the standard.
Instead, let the user configure the max TLS fragment size directly.
Report errors from ServerConnection::new like ClientConnection::new, so we
can report out of range fragment sizes.
If the system time is set to before the Unix epoch (probably not possible on
most operating systems) then computing the duration since the Unix epoch will
fail. Avoid that very unlikely case.
Add the time of retrieval (storage) to `ClientSessionValueWithResolvedCipherSuite`
since the lifetime of the needed time is exactly the lifetime of the value of that
type. (Perhaps `ClientSessionValueWithResolvedCipherSuite` could be given a better
name.)
In the future, if we were to refactor the `Ticekter` API to accept the current time
then we could probably reduce the number of times the current time is retrieved by
adding a `TimeBase` parameter to each of `encrypt()` and `decrypt()`.
Also stengthen the type used to represent the current time from `u64` to a new
`TimeBase` type.
I don't know if it's me or everyone, but debugging TLS setup issues
is usually non-trivial.
For example, right now I'm fighting with this issue:
an `openssl s_client` works fine, but a client implemented with
rustls fails with an error:
```
Custom { kind: InvalidData, error: WebPKIError(UnknownIssuer) }
```
`WebPKIError` can be emitted for several reasons. This PR adds the
operation name to the error. I have identified five operations:
* validate server certificate
* validate client certificate
* validate certificate for DNS name
* parse the certificate
* verify message signature
The error can be expanded further later, but even this basic list
will provide some clue where to look.
- rustls (the library) now lives in rustls/
- the mio examples/tests continue to live in rustls-mio, but
are built by (eg) `cargo test` in the root of the repo.