Struct SslConnectorBuilder 

pub struct SslConnectorBuilder(/* private fields */);

A builder for SslConnectors.

Implementations

impl SslConnectorBuilder

pub fn build(self) -> SslConnector

Consumes the builder, returning an SslConnector.

Methods from Deref<Target = SslContextBuilder>

pub fn set_async_select_certificate_callback<F>(&mut self, callback: F)

where F: Fn(&mut ClientHello<'_>) -> Result<Pin<Box<dyn Future<Output = Result<Box<dyn FnOnce(ClientHello<'_>) -> Result<(), AsyncSelectCertError>>, AsyncSelectCertError>> + Send>>, AsyncSelectCertError> + Send + Sync + 'static,

Sets a callback that is called before most ClientHello processing and before the decision whether to resume a session is made. The callback may inspect the ClientHello and configure the connection.

This method uses a function that returns a future whose output is itself a closure that will be passed ClientHello to configure the connection based on the computations done in the future.

A task waker must be set on Ssl values associated with the resulting SslContext with SslRef::set_task_waker.

See SslContextBuilder::set_select_certificate_callback for the sync setter of this callback.

pub fn set_async_private_key_method( &mut self, method: impl AsyncPrivateKeyMethod, )

Configures a custom private key method on the context.

A task waker must be set on Ssl values associated with the resulting SslContext with SslRef::set_task_waker.

See AsyncPrivateKeyMethod for more details.

pub unsafe fn set_async_get_session_callback<F>(&mut self, callback: F)

where F: Fn(&mut SslRef, &[u8]) -> Option<Pin<Box<dyn Future<Output = Option<Box<dyn FnOnce(&mut SslRef, &[u8]) -> Option<SslSession>>>> + Send>>> + Send + Sync + 'static,

Sets a callback that is called when a client proposed to resume a session but it was not found in the internal cache.

The callback is passed a reference to the session ID provided by the client. It should return the session corresponding to that ID if available. This is only used for servers, not clients.

A task waker must be set on Ssl values associated with the resulting SslContext with SslRef::set_task_waker.

See SslContextBuilder::set_get_session_callback for the sync setter of this callback.

Safety

The returned SslSession must not be associated with a different SslContextBuilder.

pub fn set_async_custom_verify_callback<F>( &mut self, mode: SslVerifyMode, callback: F, )

where F: Fn(&mut SslRef) -> Result<Pin<Box<dyn Future<Output = Result<Box<dyn FnOnce(&mut SslRef) -> Result<(), SslAlert>>, SslAlert>> + Send>>, SslAlert> + Send + Sync + 'static,

Configures certificate verification.

The callback should return Ok(()) if the certificate is valid. If the certificate is invalid, the callback should return SslVerifyError::Invalid(alert). Some useful alerts include SslAlert::CERTIFICATE_EXPIRED, SslAlert::CERTIFICATE_REVOKED, SslAlert::UNKNOWN_CA, SslAlert::BAD_CERTIFICATE, SslAlert::CERTIFICATE_UNKNOWN, and SslAlert::INTERNAL_ERROR. See RFC 5246 section 7.2.2 for their precise meanings.

A task waker must be set on Ssl values associated with the resulting SslContext with SslRef::set_task_waker.

See SslContextBuilder::set_custom_verify_callback for the sync version of this method.

Panics

This method panics if this Ssl is associated with a RPK context.

pub fn as_ptr(&self) -> *mut ssl_ctx_st

Returns a pointer to the raw OpenSSL value.

pub fn set_cert_verify_callback<F>(&mut self, callback: F)

where F: Fn(&mut X509StoreContextRef) -> bool + 'static + Sync + Send,

Registers a certificate verification callback that replaces the default verification process.

The callback returns true if the certificate chain is valid, and false if not. A viable verification result value (either Ok(()) or an Err(X509VerifyError)) must be reflected in the error member of X509StoreContextRef, which can be done by calling X509StoreContextRef::set_error. However, the callback’s return value determines whether the chain is accepted or not.

Warning: Providing a complete verification procedure is a complex task. See https://docs.openssl.org/master/man3/SSL_CTX_set_cert_verify_callback/#notes for more information.

TODO: Add the ability to unset the callback by either adding a new function or wrapping the callback in an Option.

This corresponds to SSL_CTX_set_cert_verify_callback.

pub fn set_verify(&mut self, mode: SslVerifyMode)

Configures the certificate verification method for new connections.

This corresponds to SSL_CTX_set_verify.

pub fn set_verify_callback<F>(&mut self, mode: SslVerifyMode, callback: F)

where F: Fn(bool, &mut X509StoreContextRef) -> bool + 'static + Sync + Send,

Configures the certificate verification method for new connections and registers a verification callback.

Warning: This callback does not replace the default certificate verification process and is, instead, called multiple times in the course of that process. It is very difficult to implement this callback correctly, without inadvertently relying on implementation details or making incorrect assumptions about when the callback is called.

Instead, use SslContextBuilder::set_custom_verify_callback to customize certificate verification. Those callbacks can inspect the peer-sent chain, call X509StoreContextRef::verify_cert and inspect the result, or perform other operations more straightforwardly.

Panics

This method panics if this Ssl is associated with a RPK context.

This corresponds to SSL_CTX_set_verify.

pub fn set_custom_verify_callback<F>( &mut self, mode: SslVerifyMode, callback: F, )

where F: Fn(&mut SslRef) -> Result<(), SslVerifyError> + 'static + Sync + Send,

Configures certificate verification.

The callback should return Ok(()) if the certificate is valid. If the certificate is invalid, the callback should return SslVerifyError::Invalid(alert). Some useful alerts include SslAlert::CERTIFICATE_EXPIRED, SslAlert::CERTIFICATE_REVOKED, SslAlert::UNKNOWN_CA, SslAlert::BAD_CERTIFICATE, SslAlert::CERTIFICATE_UNKNOWN, and SslAlert::INTERNAL_ERROR. See RFC 5246 section 7.2.2 for their precise meanings.

To verify a certificate asynchronously, the callback may return Err(SslVerifyError::Retry). The handshake will then pause with an error with code ErrorCode::WANT_CERTIFICATE_VERIFY.

Panics

This method panics if this Ssl is associated with a RPK context.

This corresponds to SSL_CTX_set_custom_verify.

pub fn set_servername_callback<F>(&mut self, callback: F)

where F: Fn(&mut SslRef, &mut SslAlert) -> Result<(), SniError> + 'static + Sync + Send,

Configures the server name indication (SNI) callback for new connections.

SNI is used to allow a single server to handle requests for multiple domains, each of which has its own certificate chain and configuration.

Obtain the server name with the servername method and then set the corresponding context with set_ssl_context

This corresponds to SSL_CTX_set_tlsext_servername_callback.

pub unsafe fn set_ticket_key_callback<F>(&mut self, callback: F)

where F: Fn(&SslRef, &mut [u8; 16], &mut [u8; 16], &mut CipherCtxRef, &mut HmacCtxRef, bool) -> TicketKeyCallbackResult + 'static + Sync + Send,

Configures a custom session ticket key callback for session resumption.

Session Resumption uses the security context (aka. session tickets) of a previous connection to establish a new connection via an abbreviated handshake. Skipping portions of a handshake can potentially yield performance gains.

An attacker that compromises a server’s session ticket key can impersonate the server and, prior to TLS 1.3, retroactively decrypt all application traffic from sessions using that ticket key. Thus ticket keys must be regularly rotated for forward secrecy.

CipherCtx and HmacCtx are guaranteed to be initialized.

Panics

This method panics if this Ssl is associated with a RPK context.

Safety

The application is responsible for correctly setting the key_name, iv, encryption context and hmac context. See the SSL_CTX_set_tlsext_ticket_key_cb docs for additional info.

This corresponds to SSL_CTX_set_tlsext_ticket_key_cb.

pub fn set_verify_depth(&mut self, depth: u32)

Sets the certificate verification depth.

If the peer’s certificate chain is longer than this value, verification will fail.

This corresponds to SSL_CTX_set_verify_depth.

pub fn set_verify_cert_store( &mut self, cert_store: X509Store, ) -> Result<(), ErrorStack>

Sets a custom certificate store for verifying peer certificates.

This corresponds to SSL_CTX_set0_verify_cert_store.

pub fn set_cert_store(&mut self, cert_store: X509Store)

👎Deprecated: Use set_cert_store_builder or set_cert_store_ref instead

Use [set_cert_store_builder] or [set_cert_store_ref] instead.

Replaces the context’s certificate store.

This corresponds to SSL_CTX_set_cert_store.

pub fn set_cert_store_builder(&mut self, cert_store: X509StoreBuilder)

This corresponds to SSL_CTX_set_cert_store.

pub fn set_cert_store_ref(&mut self, cert_store: &X509Store)

Replaces the context’s certificate store, and keeps it immutable.

This method allows sharing the X509Store, but calls to cert_store_mut will panic.

This corresponds to SSL_CTX_set_cert_store.

pub fn set_read_ahead(&mut self, read_ahead: bool)

Controls read ahead behavior.

If enabled, OpenSSL will read as much data as is available from the underlying stream, instead of a single record at a time.

It has no effect when used with DTLS.

This corresponds to SSL_CTX_set_read_ahead.

pub fn set_mode(&mut self, mode: SslMode) -> SslMode

Sets the mode used by the context, returning the new bit-mask after adding mode.

This corresponds to SSL_CTX_set_mode.

pub fn set_tmp_dh(&mut self, dh: &DhRef<Params>) -> Result<(), ErrorStack>

Sets the parameters to be used during ephemeral Diffie-Hellman key exchange.

This corresponds to SSL_CTX_set_tmp_dh.

pub fn set_tmp_ecdh(&mut self, key: &EcKeyRef<Params>) -> Result<(), ErrorStack>

Sets the parameters to be used during ephemeral elliptic curve Diffie-Hellman key exchange.

This corresponds to SSL_CTX_set_tmp_ecdh.

pub fn set_default_verify_paths(&mut self) -> Result<(), ErrorStack>

Use the default locations of trusted certificates for verification.

These locations are read from the SSL_CERT_FILE and SSL_CERT_DIR environment variables if present, or defaults specified at OpenSSL build time otherwise.

This corresponds to SSL_CTX_set_default_verify_paths.

pub fn set_ca_file<P>(&mut self, file: P) -> Result<(), ErrorStack>

where P: AsRef<Path>,

Loads trusted root certificates from a file.

The file should contain a sequence of PEM-formatted CA certificates.

This corresponds to SSL_CTX_load_verify_locations.

pub fn set_client_ca_list(&mut self, list: Stack<X509Name>)

Sets the list of CA names sent to the client.

The CA certificates must still be added to the trust root - they are not automatically set as trusted by this method.

This corresponds to SSL_CTX_set_client_CA_list.

pub fn add_client_ca(&mut self, cacert: &X509Ref) -> Result<(), ErrorStack>

Add the provided CA certificate to the list sent by the server to the client when requesting client-side TLS authentication.

This corresponds to SSL_CTX_add_client_CA.

pub fn set_session_id_context( &mut self, sid_ctx: &[u8], ) -> Result<(), ErrorStack>

Set the context identifier for sessions.

This value identifies the server’s session cache to clients, telling them when they’re able to reuse sessions. It should be set to a unique value per server, unless multiple servers share a session cache.

This value should be set when using client certificates, or each request will fail its handshake and need to be restarted.

This corresponds to SSL_CTX_set_session_id_context.

pub fn set_certificate_file<P>( &mut self, file: P, file_type: SslFiletype, ) -> Result<(), ErrorStack>

where P: AsRef<Path>,

Loads a leaf certificate from a file.

Only a single certificate will be loaded - use add_extra_chain_cert to add the remainder of the certificate chain, or set_certificate_chain_file to load the entire chain from a single file.

This corresponds to SSL_CTX_use_certificate_file.

pub fn set_certificate_chain_file<P>( &mut self, file: P, ) -> Result<(), ErrorStack>

where P: AsRef<Path>,

Loads a certificate chain from a file.

The file should contain a sequence of PEM-formatted certificates, the first being the leaf certificate, and the remainder forming the chain of certificates up to and including the trusted root certificate.

This corresponds to SSL_CTX_use_certificate_chain_file.

pub fn set_certificate(&mut self, cert: &X509Ref) -> Result<(), ErrorStack>

Sets the leaf certificate.

Use add_extra_chain_cert to add the remainder of the certificate chain.

This corresponds to SSL_CTX_use_certificate.

pub fn add_extra_chain_cert(&mut self, cert: X509) -> Result<(), ErrorStack>

Appends a certificate to the certificate chain.

This chain should contain all certificates necessary to go from the certificate specified by set_certificate to a trusted root.

This corresponds to SSL_CTX_add_extra_chain_cert.

pub fn set_private_key_file<P>( &mut self, file: P, file_type: SslFiletype, ) -> Result<(), ErrorStack>

where P: AsRef<Path>,

Loads the private key from a file.

This corresponds to SSL_CTX_use_PrivateKey_file.

pub fn set_private_key<T>(&mut self, key: &PKeyRef<T>) -> Result<(), ErrorStack>

where T: HasPrivate,

Sets the private key.

This corresponds to SSL_CTX_use_PrivateKey.

pub fn set_cipher_list(&mut self, cipher_list: &str) -> Result<(), ErrorStack>

Sets the list of supported ciphers for protocols before TLSv1.3.

The set_ciphersuites method controls the cipher suites for TLSv1.3 in OpenSSL. BoringSSL doesn’t implement set_ciphersuites. See https://github.com/google/boringssl/blob/master/include/openssl/ssl.h#L1542-L1544

See ciphers for details on the format.

This corresponds to SSL_CTX_set_cipher_list.

pub fn set_raw_cipher_list( &mut self, cipher_list: &[u16], ) -> Result<(), ErrorStack>

Sets the raw list of ciphers, regardless if they are supported or not.

Use [set_cipher_list] if you want to play safe instead and do not control the exact cipher list.

This corresponds to RAMA_SSL_CTX_set_raw_cipher_list.

pub fn ciphers(&self) -> Option<&StackRef<SslCipher>>

Gets the list of supported ciphers for protocols before TLSv1.3.

See ciphers for details on the format

This corresponds to SSL_CTX_get_ciphers.

pub fn set_options(&mut self, option: SslOptions) -> SslOptions

Sets the options used by the context, returning the old set.

Note

This enables the specified options, but does not disable unspecified options. Use clear_options for that.

This corresponds to SSL_CTX_set_options.

pub fn options(&self) -> SslOptions

Returns the options used by the context.

This corresponds to SSL_CTX_get_options.

pub fn clear_options(&mut self, option: SslOptions) -> SslOptions

Clears the options used by the context, returning the old set.

This corresponds to SSL_CTX_clear_options.

pub fn set_min_proto_version( &mut self, version: Option<SslVersion>, ) -> Result<(), ErrorStack>

Sets the minimum supported protocol version.

If version is None, the default minimum version is used. For BoringSSL this defaults to TLS 1.0.

This corresponds to SSL_CTX_set_min_proto_version.

pub fn set_max_proto_version( &mut self, version: Option<SslVersion>, ) -> Result<(), ErrorStack>

Sets the maximum supported protocol version.

If version is None, the default maximum version is used. For BoringSSL this is TLS 1.3.

This corresponds to SSL_CTX_set_max_proto_version.

pub fn min_proto_version(&mut self) -> Option<SslVersion>

Gets the minimum supported protocol version.

This corresponds to SSL_CTX_get_min_proto_version.

pub fn max_proto_version(&mut self) -> Option<SslVersion>

Gets the maximum supported protocol version.

This corresponds to SSL_CTX_get_max_proto_version.

pub fn set_alpn_protos(&mut self, protocols: &[u8]) -> Result<(), ErrorStack>

Sets the protocols to sent to the server for Application Layer Protocol Negotiation (ALPN).

The input must be in ALPN “wire format”. It consists of a sequence of supported protocol names prefixed by their byte length. For example, the protocol list consisting of spdy/1 and http/1.1 is encoded as b"\x06spdy/1\x08http/1.1". The protocols are ordered by preference.

This corresponds to SSL_CTX_set_alpn_protos.

pub fn set_tlsext_use_srtp(&mut self, protocols: &str) -> Result<(), ErrorStack>

Enables the DTLS extension “use_srtp” as defined in RFC5764.

This corresponds to SSL_CTX_set_tlsext_use_srtp.

pub fn set_alpn_select_callback<F>(&mut self, callback: F)

where F: for<'a> Fn(&mut SslRef, &'a [u8]) -> Result<&'a [u8], AlpnError> + 'static + Sync + Send,

Sets the callback used by a server to select a protocol for Application Layer Protocol Negotiation (ALPN).

The callback is provided with the client’s protocol list in ALPN wire format. See the documentation for SslContextBuilder::set_alpn_protos for details. It should return one of those protocols on success. The select_next_proto function implements the standard protocol selection algorithm.

This corresponds to SSL_CTX_set_alpn_select_cb.

pub fn set_select_certificate_callback<F>(&mut self, callback: F)

where F: Fn(ClientHello<'_>) -> Result<(), SelectCertError> + Sync + Send + 'static,

Sets a callback that is called before most ClientHello processing and before the decision whether to resume a session is made. The callback may inspect the ClientHello and configure the connection.

This corresponds to SSL_CTX_set_select_certificate_cb.

pub fn add_certificate_compression_algorithm<C>( &mut self, compressor: C, ) -> Result<(), ErrorStack>

where C: CertificateCompressor,

Registers a certificate compression algorithm.

This corresponds to SSL_CTX_add_cert_compression_alg.

pub fn set_private_key_method<M>(&mut self, method: M)

where M: PrivateKeyMethod,

Configures a custom private key method on the context.

See PrivateKeyMethod for more details.

This corresponds to SSL_CTX_set_private_key_method.

pub fn check_private_key(&self) -> Result<(), ErrorStack>

Checks for consistency between the private key and certificate.

This corresponds to SSL_CTX_check_private_key.

pub fn cert_store(&self) -> &X509StoreBuilderRef

Returns a shared reference to the context’s certificate store.

This corresponds to SSL_CTX_get_cert_store.

pub fn cert_store_mut(&mut self) -> &mut X509StoreBuilderRef

Returns a mutable reference to the context’s certificate store.

Newly-created SslContextBuilder will have its own default mutable store.

Panics

If a shared store has been set via Self::set_cert_store_ref.

This corresponds to SSL_CTX_get_cert_store.

pub fn set_status_callback<F>(&mut self, callback: F) -> Result<(), ErrorStack>

where F: Fn(&mut SslRef) -> Result<bool, ErrorStack> + 'static + Sync + Send,

Sets the callback dealing with OCSP stapling.

On the client side, this callback is responsible for validating the OCSP status response returned by the server. The status may be retrieved with the SslRef::ocsp_status method. A response of Ok(true) indicates that the OCSP status is valid, and a response of Ok(false) indicates that the OCSP status is invalid and the handshake should be terminated.

On the server side, this callback is resopnsible for setting the OCSP status response to be returned to clients. The status may be set with the SslRef::set_ocsp_status method. A response of Ok(true) indicates that the OCSP status should be returned to the client, and Ok(false) indicates that the status should not be returned to the client.

This corresponds to SSL_CTX_set_tlsext_status_cb.

pub fn set_psk_client_callback<F>(&mut self, callback: F)

where F: Fn(&mut SslRef, Option<&[u8]>, &mut [u8], &mut [u8]) -> Result<usize, ErrorStack> + 'static + Sync + Send,

Sets the callback for providing an identity and pre-shared key for a TLS-PSK client.

The callback will be called with the SSL context, an identity hint if one was provided by the server, a mutable slice for each of the identity and pre-shared key bytes. The identity must be written as a null-terminated C string.

This corresponds to SSL_CTX_set_psk_client_callback.

pub fn set_psk_callback<F>(&mut self, callback: F)

where F: Fn(&mut SslRef, Option<&[u8]>, &mut [u8], &mut [u8]) -> Result<usize, ErrorStack> + 'static + Sync + Send,

👎Deprecated since 0.10.10: renamed to set_psk_client_callback

pub fn set_psk_server_callback<F>(&mut self, callback: F)

where F: Fn(&mut SslRef, Option<&[u8]>, &mut [u8]) -> Result<usize, ErrorStack> + 'static + Sync + Send,

Sets the callback for providing an identity and pre-shared key for a TLS-PSK server.

The callback will be called with the SSL context, an identity provided by the client, and, a mutable slice for the pre-shared key bytes. The callback returns the number of bytes in the pre-shared key.

This corresponds to SSL_CTX_set_psk_server_callback.

pub fn set_new_session_callback<F>(&mut self, callback: F)

where F: Fn(&mut SslRef, SslSession) + 'static + Sync + Send,

Sets the callback which is called when new sessions are negotiated.

This can be used by clients to implement session caching. While in TLSv1.2 the session is available to access via SslRef::session immediately after the handshake completes, this is not the case for TLSv1.3. There, a session is not generally available immediately, and the server may provide multiple session tokens to the client over a single session. The new session callback is a portable way to deal with both cases.

Note that session caching must be enabled for the callback to be invoked, and it defaults off for clients. set_session_cache_mode controls that behavior.

This corresponds to SSL_CTX_sess_set_new_cb.

pub fn set_remove_session_callback<F>(&mut self, callback: F)

where F: Fn(&SslContextRef, &SslSessionRef) + 'static + Sync + Send,

Sets the callback which is called when sessions are removed from the context.

Sessions can be removed because they have timed out or because they are considered faulty.

This corresponds to SSL_CTX_sess_set_remove_cb.

pub unsafe fn set_get_session_callback<F>(&mut self, callback: F)

where F: Fn(&mut SslRef, &[u8]) -> Result<Option<SslSession>, GetSessionPendingError> + 'static + Sync + Send,

Sets the callback which is called when a client proposed to resume a session but it was not found in the internal cache.

The callback is passed a reference to the session ID provided by the client. It should return the session corresponding to that ID if available. This is only used for servers, not clients.

Safety

The returned SslSession must not be associated with a different SslContext.

This corresponds to SSL_CTX_sess_set_get_cb.

pub fn set_keylog_callback<F>(&mut self, callback: F)

where F: Fn(&SslRef, &str) + 'static + Sync + Send,

Sets the TLS key logging callback.

The callback is invoked whenever TLS key material is generated, and is passed a line of NSS SSLKEYLOGFILE-formatted text. This can be used by tools like Wireshark to decrypt message traffic. The line does not contain a trailing newline.

This corresponds to SSL_CTX_set_keylog_callback.

pub fn set_session_cache_mode( &mut self, mode: SslSessionCacheMode, ) -> SslSessionCacheMode

Sets the session caching mode use for connections made with the context.

Returns the previous session caching mode.

This corresponds to SSL_CTX_set_session_cache_mode.

pub fn set_ex_data<T>(&mut self, index: Index<SslContext, T>, data: T)

Sets the extra data at the specified index.

This can be used to provide data to callbacks registered with the context. Use the SslContext::new_ex_index method to create an Index.

Note that if this method is called multiple times with the same index, any previous value stored in the SslContextBuilder will be leaked.

This corresponds to SSL_CTX_set_ex_data.

pub fn replace_ex_data<T>( &mut self, index: Index<SslContext, T>, data: T, ) -> Option<T>

Sets or overwrites the extra data at the specified index.

This can be used to provide data to callbacks registered with the context. Use the Ssl::new_ex_index method to create an Index.

Any previous value will be returned and replaced by the new one.

This corresponds to SSL_CTX_set_ex_data.

pub fn set_session_cache_size(&mut self, size: u32) -> u64

Sets the context’s session cache size limit, returning the previous limit.

A value of 0 means that the cache size is unbounded.

This corresponds to SSL_CTX_sess_set_cache_size.

pub fn set_sigalgs_list(&mut self, sigalgs: &str) -> Result<(), ErrorStack>

Sets the context’s supported signature algorithms.

This corresponds to SSL_CTX_set1_sigalgs_list.

pub fn set_grease_enabled(&mut self, enabled: bool)

Set’s whether the context should enable GREASE.

This corresponds to SSL_CTX_set_grease_enabled.

pub fn set_permute_extensions(&mut self, enabled: bool)

Configures whether ClientHello extensions should be permuted.

This corresponds to SSL_CTX_set_permute_extensions.

pub fn set_extension_order(&mut self, ids: &[u16]) -> Result<(), ErrorStack>

Configures whether ClientHello extensions should be in the provided order.

This corresponds to RAMA_SSL_CTX_set_extension_order.

pub fn set_verify_algorithm_prefs( &mut self, prefs: &[SslSignatureAlgorithm], ) -> Result<(), ErrorStack>

Sets the context’s supported signature verification algorithms.

This corresponds to SSL_CTX_set_verify_algorithm_prefs.

pub fn enable_signed_cert_timestamps(&mut self)

Enables SCT requests on all client SSL handshakes.

This corresponds to SSL_CTX_enable_signed_cert_timestamps.

pub fn enable_ocsp_stapling(&mut self)

Enables OCSP stapling on all client SSL handshakes.

This corresponds to SSL_CTX_enable_ocsp_stapling.

pub fn set_curves_list(&mut self, curves: &str) -> Result<(), ErrorStack>

Sets the context’s supported curves.

This corresponds to SSL_CTX_set1_curves_list.

pub fn set_curves(&mut self, curves: &[SslCurve]) -> Result<(), ErrorStack>

Sets the context’s supported curves.

This corresponds to SSL_CTX_set1_curves.

pub fn set_compliance_policy( &mut self, policy: CompliancePolicy, ) -> Result<(), ErrorStack>

Sets the context’s compliance policy.

This feature isn’t available in the certified version of BoringSSL.

This corresponds to SSL_CTX_set_compliance_policy.

pub fn set_info_callback<F>(&mut self, callback: F)

where F: Fn(&SslRef, SslInfoCallbackMode, SslInfoCallbackValue) + Send + Sync + 'static,

Sets the context’s info callback.

This corresponds to SSL_CTX_set_info_callback.

pub fn set_ech_keys(&self, keys: &SslEchKeys) -> Result<(), ErrorStack>

Registers a list of ECH keys on the context. This list should contain new and old ECHConfigs to allow stale DNS caches to update. Unlike most SSL_CTX APIs, this function is safe to call even after the SSL_CTX has been associated with connections on various threads.

This corresponds to SSL_CTX_set1_ech_keys.

Trait Implementations

impl Deref for SslConnectorBuilder

type Target = SslContextBuilder

The resulting type after dereferencing.

fn deref(&self) -> &SslContextBuilder

Dereferences the value.

impl DerefMut for SslConnectorBuilder

fn deref_mut(&mut self) -> &mut SslContextBuilder

Mutably dereferences the value.