Logic to support client-side session reuse

author: Steven Fackler <[email protected]> 2017-03-25 15:45:40 +0000
committer: Steven Fackler <[email protected]> 2017-03-25 19:30:01 -0700
commit: c8d1698f275d2901a7fd65f318155acbd2dd02d3 (patch)
tree: b0366bd4db7059a7066cef2014152d1eb54b3666 /openssl/src/ssl/connector.rs
parent: Merge pull request #601 from pgerber/double_unlock (diff)
download: rust-openssl-c8d1698f275d2901a7fd65f318155acbd2dd02d3.tar.xz
rust-openssl-c8d1698f275d2901a7fd65f318155acbd2dd02d3.zip
1 files changed, 51 insertions, 6 deletions
diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 73d7b675..548e3e97 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -93,11 +93,7 @@ impl SslConnector {
     pub fn connect<S>(&self, domain: &str, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
         where S: Read + Write
     {
-        let mut ssl = try!(Ssl::new(&self.0));
-        try!(ssl.set_hostname(domain));
-        try!(setup_verify(&mut ssl, domain));
-
-        ssl.connect(stream)
+        try!(self.configure()).connect(domain, stream)
     }
 
     /// Initiates a client-side TLS session on a stream without performing hostname verification.
@@ -113,7 +109,56 @@ impl SslConnector {
             &self, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
         where S: Read + Write
     {
-        try!(Ssl::new(&self.0)).connect(stream)
+        try!(self.configure())
+            .danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication(stream)
+    }
+
+    /// Returns a structure allowing for configuration of a single TLS session before connection.
+    pub fn configure(&self) -> Result<ConnectConfiguration, ErrorStack> {
+        Ssl::new(&self.0).map(ConnectConfiguration)
+    }
+}
+
+/// A type which allows for configuration of a client-side TLS session before connection.
+pub struct ConnectConfiguration(Ssl);
+
+impl ConnectConfiguration {
+    /// Returns a shared reference to the inner `Ssl`.
+    pub fn ssl(&self) -> &Ssl {
+        &self.0
+    }
+
+    /// Returns a mutable reference to the inner `Ssl`.
+    pub fn ssl_mut(&mut self) -> &mut Ssl {
+        &mut self.0
+    }
+
+    /// Initiates a client-side TLS session on a stream.
+    ///
+    /// The domain is used for SNI and hostname verification.
+    pub fn connect<S>(mut self, domain: &str, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
+        where S: Read + Write
+    {
+        try!(self.0.set_hostname(domain));
+        try!(setup_verify(&mut self.0, domain));
+
+        self.0.connect(stream)
+    }
+
+    /// Initiates a client-side TLS session on a stream without performing hostname verification.
+    ///
+    /// The verification configuration of the connector's `SslContext` is not overridden.
+    ///
+    /// # Warning
+    ///
+    /// You should think very carefully before you use this method. If hostname verification is not
+    /// used, *any* valid certificate for *any* site will be trusted for use from any other. This
+    /// introduces a significant vulnerability to man-in-the-middle attacks.
+    pub fn danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication<S>(
+            self, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
+        where S: Read + Write
+    {
+        self.0.connect(stream)
     }
 }
author	Steven Fackler <[email protected]>	2017-03-25 15:45:40 +0000
committer	Steven Fackler <[email protected]>	2017-03-25 19:30:01 -0700
commit	c8d1698f275d2901a7fd65f318155acbd2dd02d3 (patch)
tree	b0366bd4db7059a7066cef2014152d1eb54b3666 /openssl/src/ssl/connector.rs
parent	Merge pull request #601 from pgerber/double_unlock (diff)
download	rust-openssl-c8d1698f275d2901a7fd65f318155acbd2dd02d3.tar.xz rust-openssl-c8d1698f275d2901a7fd65f318155acbd2dd02d3.zip