Struct ClientConfig
pub struct ClientConfig {Show 13 fields
pub alpn_protocols: Vec<Vec<u8>>,
pub resumption: Resumption,
pub max_fragment_size: Option<usize>,
pub client_auth_cert_resolver: Arc<dyn ResolvesClientCert>,
pub enable_sni: bool,
pub key_log: Arc<dyn KeyLog>,
pub enable_secret_extraction: bool,
pub enable_early_data: bool,
pub require_ems: bool,
pub time_provider: Arc<dyn TimeProvider>,
pub cert_decompressors: Vec<&'static dyn CertDecompressor>,
pub cert_compressors: Vec<&'static dyn CertCompressor>,
pub cert_compression_cache: Arc<CompressionCache>,
/* private fields */
}
Expand description
Common configuration for (typically) all connections made by a program.
Making one of these is cheap, though one of the inputs may be expensive: gathering trust roots
from the operating system to add to the RootCertStore
passed to with_root_certificates()
(the rustls-native-certs crate is often used for this) may take on the order of a few hundred
milliseconds.
These must be created via the ClientConfig::builder()
or ClientConfig::builder_with_provider()
function.
Note that using ConfigBuilder<ClientConfig, WantsVersions>::with_ech()
will produce a common
configuration specific to the provided crate::client::EchConfig
that may not be appropriate
for all connections made by the program. In this case the configuration should only be shared
by connections intended for domains that offer the provided crate::client::EchConfig
in
their DNS zone.
§Defaults
ClientConfig::max_fragment_size
: the default isNone
(meaning 16kB).ClientConfig::resumption
: supports resumption with up to 256 server names, using session ids or tickets, with a max of eight tickets per server.ClientConfig::alpn_protocols
: the default is empty – no ALPN protocol is negotiated.ClientConfig::key_log
: key material is not logged.ClientConfig::cert_decompressors
: depends on the crate features, seecompress::default_cert_decompressors()
.ClientConfig::cert_compressors
: depends on the crate features, seecompress::default_cert_compressors()
.ClientConfig::cert_compression_cache
: caches the most recently used 4 compressions
Fields§
§alpn_protocols: Vec<Vec<u8>>
Which ALPN protocols we include in our client hello. If empty, no ALPN extension is sent.
resumption: Resumption
How and when the client can resume a previous session.
max_fragment_size: Option<usize>
The maximum size of plaintext input to be emitted in a single TLS record. A value of None is equivalent to the TLS maximum of 16 kB.
rustls enforces an arbitrary minimum of 32 bytes for this field. Out of range values are reported as errors from ClientConnection::new.
Setting this value to a little less than the TCP MSS may improve latency for stream-y workloads.
client_auth_cert_resolver: Arc<dyn ResolvesClientCert>
How to decide what client auth certificate/keys to use.
enable_sni: bool
Whether to send the Server Name Indication (SNI) extension during the client handshake.
The default is true.
key_log: Arc<dyn KeyLog>
How to output key material for debugging. The default does nothing.
enable_secret_extraction: bool
Allows traffic secrets to be extracted after the handshake, e.g. for kTLS setup.
enable_early_data: bool
Whether to send data on the first flight (“early data”) in TLS 1.3 handshakes.
The default is false.
require_ems: bool
If set to true
, requires the server to support the extended
master secret extraction method defined in RFC 7627.
The default is true
if the fips
crate feature is enabled,
false
otherwise.
It must be set to true
to meet FIPS requirement mentioned in section
D.Q Transition of the TLS 1.2 KDF to Support the Extended Master
Secret from FIPS 140-3 IG.pdf.
time_provider: Arc<dyn TimeProvider>
Provides the current system time
cert_decompressors: Vec<&'static dyn CertDecompressor>
How to decompress the server’s certificate chain.
If this is non-empty, the RFC8779 certificate compression extension is offered, and any compressed certificates are transparently decompressed during the handshake.
This only applies to TLS1.3 connections. It is ignored for TLS1.2 connections.
cert_compressors: Vec<&'static dyn CertCompressor>
How to compress the client’s certificate chain.
If a server supports this extension, and advertises support for one of the compression algorithms included here, the client certificate will be compressed according to RFC8779.
This only applies to TLS1.3 connections. It is ignored for TLS1.2 connections.
cert_compression_cache: Arc<CompressionCache>
Caching for compressed certificates.
This is optional: compress::CompressionCache::Disabled
gives
a cache that does no caching.
Implementations§
§impl ClientConfig
impl ClientConfig
pub fn builder() -> ConfigBuilder<ClientConfig, WantsVerifier>
pub fn builder() -> ConfigBuilder<ClientConfig, WantsVerifier>
Create a builder for a client configuration with
the process-default CryptoProvider
and safe protocol version defaults.
For more information, see the ConfigBuilder
documentation.
pub fn builder_with_protocol_versions(
versions: &[&'static SupportedProtocolVersion],
) -> ConfigBuilder<ClientConfig, WantsVerifier>
pub fn builder_with_protocol_versions( versions: &[&'static SupportedProtocolVersion], ) -> ConfigBuilder<ClientConfig, WantsVerifier>
Create a builder for a client configuration with
the process-default CryptoProvider
and the provided protocol versions.
Panics if
- the supported versions are not compatible with the provider (eg. the combination of ciphersuites supported by the provider and supported versions lead to zero cipher suites being usable),
- if a
CryptoProvider
cannot be resolved using a combination of the crate features and process default.
For more information, see the ConfigBuilder
documentation.
pub fn builder_with_provider(
provider: Arc<CryptoProvider>,
) -> ConfigBuilder<ClientConfig, WantsVersions>
pub fn builder_with_provider( provider: Arc<CryptoProvider>, ) -> ConfigBuilder<ClientConfig, WantsVersions>
Create a builder for a client configuration with a specific CryptoProvider
.
This will use the provider’s configured ciphersuites. You must additionally choose
which protocol versions to enable, using with_protocol_versions
or
with_safe_default_protocol_versions
and handling the Result
in case a protocol
version is not supported by the provider’s ciphersuites.
For more information, see the ConfigBuilder
documentation.
pub fn builder_with_details(
provider: Arc<CryptoProvider>,
time_provider: Arc<dyn TimeProvider>,
) -> ConfigBuilder<ClientConfig, WantsVersions>
pub fn builder_with_details( provider: Arc<CryptoProvider>, time_provider: Arc<dyn TimeProvider>, ) -> ConfigBuilder<ClientConfig, WantsVersions>
Create a builder for a client configuration with no default implementation details.
This API must be used by no_std
users.
You must provide a specific TimeProvider
.
You must provide a specific CryptoProvider
.
This will use the provider’s configured ciphersuites. You must additionally choose
which protocol versions to enable, using with_protocol_versions
or
with_safe_default_protocol_versions
and handling the Result
in case a protocol
version is not supported by the provider’s ciphersuites.
For more information, see the ConfigBuilder
documentation.
pub fn fips(&self) -> bool
pub fn fips(&self) -> bool
Return true if connections made with this ClientConfig
will
operate in FIPS mode.
This is different from CryptoProvider::fips()
: CryptoProvider::fips()
is concerned only with cryptography, whereas this also covers TLS-level
configuration that NIST recommends, as well as ECH HPKE suites if applicable.
pub fn crypto_provider(&self) -> &Arc<CryptoProvider>
pub fn crypto_provider(&self) -> &Arc<CryptoProvider>
Return the crypto provider used to construct this client configuration.
pub fn dangerous(&mut self) -> DangerousClientConfig<'_>
pub fn dangerous(&mut self) -> DangerousClientConfig<'_>
Access configuration options whose use is dangerous and requires extra care.
Trait Implementations§
§impl Clone for ClientConfig
impl Clone for ClientConfig
§fn clone(&self) -> ClientConfig
fn clone(&self) -> ClientConfig
1.0.0 · source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source
. Read more§impl Debug for ClientConfig
impl Debug for ClientConfig
impl ConfigSide for ClientConfig
Auto Trait Implementations§
impl Freeze for ClientConfig
impl !RefUnwindSafe for ClientConfig
impl Send for ClientConfig
impl Sync for ClientConfig
impl Unpin for ClientConfig
impl !UnwindSafe for ClientConfig
Blanket Implementations§
source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
source§unsafe fn clone_to_uninit(&self, dst: *mut T)
unsafe fn clone_to_uninit(&self, dst: *mut T)
clone_to_uninit
)§impl<T> Conv for T
impl<T> Conv for T
§impl<T> FmtForward for T
impl<T> FmtForward for T
§fn fmt_binary(self) -> FmtBinary<Self>where
Self: Binary,
fn fmt_binary(self) -> FmtBinary<Self>where
Self: Binary,
self
to use its Binary
implementation when Debug
-formatted.§fn fmt_display(self) -> FmtDisplay<Self>where
Self: Display,
fn fmt_display(self) -> FmtDisplay<Self>where
Self: Display,
self
to use its Display
implementation when
Debug
-formatted.§fn fmt_lower_exp(self) -> FmtLowerExp<Self>where
Self: LowerExp,
fn fmt_lower_exp(self) -> FmtLowerExp<Self>where
Self: LowerExp,
self
to use its LowerExp
implementation when
Debug
-formatted.§fn fmt_lower_hex(self) -> FmtLowerHex<Self>where
Self: LowerHex,
fn fmt_lower_hex(self) -> FmtLowerHex<Self>where
Self: LowerHex,
self
to use its LowerHex
implementation when
Debug
-formatted.§fn fmt_octal(self) -> FmtOctal<Self>where
Self: Octal,
fn fmt_octal(self) -> FmtOctal<Self>where
Self: Octal,
self
to use its Octal
implementation when Debug
-formatted.§fn fmt_pointer(self) -> FmtPointer<Self>where
Self: Pointer,
fn fmt_pointer(self) -> FmtPointer<Self>where
Self: Pointer,
self
to use its Pointer
implementation when
Debug
-formatted.§fn fmt_upper_exp(self) -> FmtUpperExp<Self>where
Self: UpperExp,
fn fmt_upper_exp(self) -> FmtUpperExp<Self>where
Self: UpperExp,
self
to use its UpperExp
implementation when
Debug
-formatted.§fn fmt_upper_hex(self) -> FmtUpperHex<Self>where
Self: UpperHex,
fn fmt_upper_hex(self) -> FmtUpperHex<Self>where
Self: UpperHex,
self
to use its UpperHex
implementation when
Debug
-formatted.§fn fmt_list(self) -> FmtList<Self>where
&'a Self: for<'a> IntoIterator,
fn fmt_list(self) -> FmtList<Self>where
&'a Self: for<'a> IntoIterator,
§impl<T> FutureExt for T
impl<T> FutureExt for T
§fn with_context(self, otel_cx: Context) -> WithContext<Self> ⓘ
fn with_context(self, otel_cx: Context) -> WithContext<Self> ⓘ
§fn with_current_context(self) -> WithContext<Self> ⓘ
fn with_current_context(self) -> WithContext<Self> ⓘ
§impl<T> Instrument for T
impl<T> Instrument for T
§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
source§impl<T> IntoEither for T
impl<T> IntoEither for T
source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self
into a Left
variant of Either<Self, Self>
if into_left
is true
.
Converts self
into a Right
variant of Either<Self, Self>
otherwise. Read moresource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self
into a Left
variant of Either<Self, Self>
if into_left(&self)
returns true
.
Converts self
into a Right
variant of Either<Self, Self>
otherwise. Read more§impl<T> Pipe for Twhere
T: ?Sized,
impl<T> Pipe for Twhere
T: ?Sized,
§fn pipe<R>(self, func: impl FnOnce(Self) -> R) -> Rwhere
Self: Sized,
fn pipe<R>(self, func: impl FnOnce(Self) -> R) -> Rwhere
Self: Sized,
§fn pipe_ref<'a, R>(&'a self, func: impl FnOnce(&'a Self) -> R) -> Rwhere
R: 'a,
fn pipe_ref<'a, R>(&'a self, func: impl FnOnce(&'a Self) -> R) -> Rwhere
R: 'a,
self
and passes that borrow into the pipe function. Read more§fn pipe_ref_mut<'a, R>(&'a mut self, func: impl FnOnce(&'a mut Self) -> R) -> Rwhere
R: 'a,
fn pipe_ref_mut<'a, R>(&'a mut self, func: impl FnOnce(&'a mut Self) -> R) -> Rwhere
R: 'a,
self
and passes that borrow into the pipe function. Read more§fn pipe_borrow<'a, B, R>(&'a self, func: impl FnOnce(&'a B) -> R) -> R
fn pipe_borrow<'a, B, R>(&'a self, func: impl FnOnce(&'a B) -> R) -> R
§fn pipe_borrow_mut<'a, B, R>(
&'a mut self,
func: impl FnOnce(&'a mut B) -> R,
) -> R
fn pipe_borrow_mut<'a, B, R>( &'a mut self, func: impl FnOnce(&'a mut B) -> R, ) -> R
§fn pipe_as_ref<'a, U, R>(&'a self, func: impl FnOnce(&'a U) -> R) -> R
fn pipe_as_ref<'a, U, R>(&'a self, func: impl FnOnce(&'a U) -> R) -> R
self
, then passes self.as_ref()
into the pipe function.§fn pipe_as_mut<'a, U, R>(&'a mut self, func: impl FnOnce(&'a mut U) -> R) -> R
fn pipe_as_mut<'a, U, R>(&'a mut self, func: impl FnOnce(&'a mut U) -> R) -> R
self
, then passes self.as_mut()
into the pipe
function.§fn pipe_deref<'a, T, R>(&'a self, func: impl FnOnce(&'a T) -> R) -> R
fn pipe_deref<'a, T, R>(&'a self, func: impl FnOnce(&'a T) -> R) -> R
self
, then passes self.deref()
into the pipe function.§impl<T> Pointable for T
impl<T> Pointable for T
§impl<T> PolicyExt for Twhere
T: ?Sized,
impl<T> PolicyExt for Twhere
T: ?Sized,
§fn and<S, P, B, E>(self, other: P) -> And<T, P>
fn and<S, P, B, E>(self, other: P) -> And<T, P>
Policy
that returns Action::Follow
only if self
and other
return
Action::Follow
. Read more§impl<T> Tap for T
impl<T> Tap for T
§fn tap_borrow<B>(self, func: impl FnOnce(&B)) -> Self
fn tap_borrow<B>(self, func: impl FnOnce(&B)) -> Self
Borrow<B>
of a value. Read more§fn tap_borrow_mut<B>(self, func: impl FnOnce(&mut B)) -> Self
fn tap_borrow_mut<B>(self, func: impl FnOnce(&mut B)) -> Self
BorrowMut<B>
of a value. Read more§fn tap_ref<R>(self, func: impl FnOnce(&R)) -> Self
fn tap_ref<R>(self, func: impl FnOnce(&R)) -> Self
AsRef<R>
view of a value. Read more§fn tap_ref_mut<R>(self, func: impl FnOnce(&mut R)) -> Self
fn tap_ref_mut<R>(self, func: impl FnOnce(&mut R)) -> Self
AsMut<R>
view of a value. Read more§fn tap_deref<T>(self, func: impl FnOnce(&T)) -> Self
fn tap_deref<T>(self, func: impl FnOnce(&T)) -> Self
Deref::Target
of a value. Read more§fn tap_deref_mut<T>(self, func: impl FnOnce(&mut T)) -> Self
fn tap_deref_mut<T>(self, func: impl FnOnce(&mut T)) -> Self
Deref::Target
of a value. Read more§fn tap_dbg(self, func: impl FnOnce(&Self)) -> Self
fn tap_dbg(self, func: impl FnOnce(&Self)) -> Self
.tap()
only in debug builds, and is erased in release builds.§fn tap_mut_dbg(self, func: impl FnOnce(&mut Self)) -> Self
fn tap_mut_dbg(self, func: impl FnOnce(&mut Self)) -> Self
.tap_mut()
only in debug builds, and is erased in release
builds.§fn tap_borrow_dbg<B>(self, func: impl FnOnce(&B)) -> Self
fn tap_borrow_dbg<B>(self, func: impl FnOnce(&B)) -> Self
.tap_borrow()
only in debug builds, and is erased in release
builds.§fn tap_borrow_mut_dbg<B>(self, func: impl FnOnce(&mut B)) -> Self
fn tap_borrow_mut_dbg<B>(self, func: impl FnOnce(&mut B)) -> Self
.tap_borrow_mut()
only in debug builds, and is erased in release
builds.§fn tap_ref_dbg<R>(self, func: impl FnOnce(&R)) -> Self
fn tap_ref_dbg<R>(self, func: impl FnOnce(&R)) -> Self
.tap_ref()
only in debug builds, and is erased in release
builds.§fn tap_ref_mut_dbg<R>(self, func: impl FnOnce(&mut R)) -> Self
fn tap_ref_mut_dbg<R>(self, func: impl FnOnce(&mut R)) -> Self
.tap_ref_mut()
only in debug builds, and is erased in release
builds.§fn tap_deref_dbg<T>(self, func: impl FnOnce(&T)) -> Self
fn tap_deref_dbg<T>(self, func: impl FnOnce(&T)) -> Self
.tap_deref()
only in debug builds, and is erased in release
builds.