Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor TLS API #388

Draft
wants to merge 15 commits into
base: master
Choose a base branch
from
Draft

Refactor TLS API #388

wants to merge 15 commits into from
+1,465 −647

Conversation

sagebind
Copy link
Owner

Refactor the API for SSL/TLS configuration. This accounts for the fact that the TLS engine can vary (as rustls is now an option) and corrects some confusing parts of the API that don't always make sense.

@sagebind
Refactor TLS API
9ea8ffb 
Refactor the API for SSL/TLS configuration. This accounts for the fact that the TLS engine can vary (as rustls is now an option) and corrects some confusing parts of the API that don't always make sense.
@sagebind sagebind added this to the 2.0.0 milestone Apr 28, 2022
@codecov
Copy link

codecov bot commented Jul 16, 2022
edited
Loading

Codecov Report

Base: 52.99% // Head: 52.42% // Decreases project coverage by -0.56% ⚠️

Coverage data is based on head (c39f6f8) compared to base (096aff7).
Patch coverage: 28.15% of modified lines in pull request are covered.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #388      +/-   ##
==========================================
- Coverage   52.99%   52.42%   -0.57%     
==========================================
  Files          56       59       +3     
  Lines        5831     5951     +120     
==========================================
+ Hits         3090     3120      +30     
- Misses       2741     2831      +90
Impacted Files Coverage Δ
src/auth.rs 76.66% <0.00%> (ø)
src/config/proxy.rs 100.00% <ø> (ø)
src/error.rs 44.68% <0.00%> (+0.18%) ⬆️
tests/tls.rs 0.00% <0.00%> (ø)
src/tls/identity.rs 11.53% <11.53%> (ø)
src/tls/roots.rs 22.53% <22.53%> (ø)
src/tls/mod.rs 35.92% <35.92%> (ø)
src/config/mod.rs 69.33% <45.45%> (-4.50%) ⬇️
src/config/request.rs 71.05% <50.00%> (-2.56%) ⬇️
src/lib.rs 17.83% <50.00%> (+0.45%) ⬆️
... and 8 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

Xuanwo
Xuanwo reviewed Aug 19, 2022
View reviewed changes
src/config/mod.rs
/// ))
/// let response = Request::get("https://badssl.com")
/// .tls_config(TlsConfig::builder()
/// .danger_accept_invalid_certs(true)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm thinking about adding enable alike API:

.danger_accept_invalid_certs()

Or add API like accept_invalid_certs() but under inside feature insecure_tls?

src/tls/mod.rs

// If an empty list is provided, reset to default. Otherwise build up a
// string in curl format containing the cipher names.
if let Some(first) = iter.next() {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the different with ciphers.into_iter().join(":")?

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When an empty list is provided, we're simply not setting any ciphers, and allowing the TLS engine to choose whichever ciphers they think is best. If we actually set it to an empty list though, some TLS engines will interpret this as, "No ciphers are allowed" and basically reject all connections.

Copy link

@Xuanwo Xuanwo Aug 20, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about:

self.ciphers = Some(ciphers.into_iter().join(":")).filter(|v|!v.is_empty());

Looks nicer to me.

src/tls/mod.rs Outdated
Comment on lines 260 to 262
/// Disables all server certificate validation.
///
/// By default this is enabled.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confusing docs.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To my understanding: This functions is used to enable invalid certs. And it's disabled by default.

src/tls/mod.rs Show resolved Hide resolved
src/tls/roots.rs

#[derive(Clone, Debug)]
enum StoreImpl {
NoOp,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need docs for the difference between NoOp and Unset.

tests/tls.rs
#[test]
#[cfg_attr(not(feature = "online-tests"), ignore)]
fn accept_expired_cert() {
Request::get("https://expired.badssl.com")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, nice. It's the first time for me to know this website. Lessons learnt.

bytedream
bytedream suggested changes Nov 4, 2022
View reviewed changes
src/config/request.rs Outdated Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Xuanwo Xuanwo Xuanwo left review comments

@bytedream bytedream bytedream requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@sagebind @Xuanwo @bytedream