From c8d1698f275d2901a7fd65f318155acbd2dd02d3 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 25 Mar 2017 15:45:40 +0000 Subject: Logic to support client-side session reuse --- openssl/src/ssl/connector.rs | 57 +++++++++++++++++++++++++++++++++++++++----- 1 file changed, 51 insertions(+), 6 deletions(-) (limited to 'openssl/src/ssl/connector.rs') diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index 73d7b675..548e3e97 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -93,11 +93,7 @@ impl SslConnector { pub fn connect(&self, domain: &str, stream: S) -> Result, HandshakeError> where S: Read + Write { - let mut ssl = try!(Ssl::new(&self.0)); - try!(ssl.set_hostname(domain)); - try!(setup_verify(&mut ssl, domain)); - - ssl.connect(stream) + try!(self.configure()).connect(domain, stream) } /// Initiates a client-side TLS session on a stream without performing hostname verification. @@ -113,7 +109,56 @@ impl SslConnector { &self, stream: S) -> Result, HandshakeError> where S: Read + Write { - try!(Ssl::new(&self.0)).connect(stream) + try!(self.configure()) + .danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication(stream) + } + + /// Returns a structure allowing for configuration of a single TLS session before connection. + pub fn configure(&self) -> Result { + Ssl::new(&self.0).map(ConnectConfiguration) + } +} + +/// A type which allows for configuration of a client-side TLS session before connection. +pub struct ConnectConfiguration(Ssl); + +impl ConnectConfiguration { + /// Returns a shared reference to the inner `Ssl`. + pub fn ssl(&self) -> &Ssl { + &self.0 + } + + /// Returns a mutable reference to the inner `Ssl`. + pub fn ssl_mut(&mut self) -> &mut Ssl { + &mut self.0 + } + + /// Initiates a client-side TLS session on a stream. + /// + /// The domain is used for SNI and hostname verification. + pub fn connect(mut self, domain: &str, stream: S) -> Result, HandshakeError> + where S: Read + Write + { + try!(self.0.set_hostname(domain)); + try!(setup_verify(&mut self.0, domain)); + + self.0.connect(stream) + } + + /// Initiates a client-side TLS session on a stream without performing hostname verification. + /// + /// The verification configuration of the connector's `SslContext` is not overridden. + /// + /// # Warning + /// + /// You should think very carefully before you use this method. If hostname verification is not + /// used, *any* valid certificate for *any* site will be trusted for use from any other. This + /// introduces a significant vulnerability to man-in-the-middle attacks. + pub fn danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication( + self, stream: S) -> Result, HandshakeError> + where S: Read + Write + { + self.0.connect(stream) } } -- cgit v1.2.3