feat(rustls): implement TlsAcceptCallbacks support for rustls backend#833
Open
jsulmont wants to merge 5 commits intocloudflare:mainfrom
Open
feat(rustls): implement TlsAcceptCallbacks support for rustls backend#833jsulmont wants to merge 5 commits intocloudflare:mainfrom
jsulmont wants to merge 5 commits intocloudflare:mainfrom
Conversation
TlsSettings::with_callbacks() was previously unimplemented and returned an error. This change adds full callback support to the rustls TLS path: - TlsRef now carries peer certificates and cipher suite name - TlsStream::build_tls_ref() extracts session state after handshake - handshake_with_callback() passes populated TlsRef to callbacks - Added set_certificate_chain_file/set_private_key_file setters - Added test_handshake_complete_callback integration test
added 4 commits
March 6, 2026 16:10
…nSSL backend with_single_cert() runs webpki validation on the server's own certificate chain, rejecting certs with unrecognized critical extensions. Replace with CertifiedKey::new() + with_cert_resolver() which loads the cert+key without upfront validation, matching how the OpenSSL backend behaves. Also re-exports sign::CertifiedKey, ResolvesServerCert, and ClientHello from pingora-rustls for downstream use.
Add ConnectorOptions::server_cert_verifier to allow users to provide a custom rustls ServerCertVerifier for upstream connections. When set, the connector bypasses webpki for CA loading, server cert validation, and client cert validation — all three of which reject certificates with unrecognized critical extensions. Changes: - ConnectorOptions: add server_cert_verifier field (rustls feature-gated) - TlsConnector: use dangerous().with_custom_certificate_verifier() and with_client_cert_resolver() when custom verifier is provided - CustomServerCertVerifier: generalize delegate from WebPkiServerVerifier to dyn ServerCertVerifier for use with custom verifiers - ProxyServiceBuilder: add connector_options() builder method to override the default ConnectorOptions derived from ServerConf - pingora-rustls: re-export ResolvesClientCert and sign module
…rt paths in build()
drcaramelsyrup
added
enhancement
Contributor
|
I think this is a great PR, and I would like to accept it. As contributors to this project have (unfortunately) realized, we are slow on reviews and ingestion, and extra slow when things are included that relate to parts of pingora that we don't use internally (like rustls or s2n integration). To help with that, I am hoping that we can find someone or organization that is willing to be a trusted reviewer for rustls-related prs. (Hence the help-wanted label). If you or someone you know would like to volunteer to take that on, let us know here. We (and the other rustls pingorians) would appreciate it. cc @hargut |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
TlsSettings::with_callbacks()— previously returned an error ("Certificate callbacks are not supported with feature rustls"). Now accepts aTlsAcceptCallbacksand threads it through toAcceptorand the handshake path.TlsRef— extended from an empty struct to carry peer certificate chain (Vec<CertificateDer>) and negotiated cipher suite name, with public accessors:peer_certificate_der(),peer_cert_chain_der(),current_cipher_name()TlsStream::build_tls_ref()— extracts connection state from the underlying rustls session after handshake completeshandshake_with_callback()— now builds a populatedTlsRefand passes it to the callback, matching the OpenSSL/BoringSSL path's behaviorset_certificate_chain_file()/set_private_key_file()builder methods onTlsSettingsfor use with the callbacks constructortest_handshake_complete_callbackintegration testMotivation
This enables downstream projects to use mTLS peer certificate inspection in post-handshake callbacks when using the
rustlsfeature, which previously only worked with the OpenSSL/BoringSSL backend.Test plan
cargo check -p pingora-core --features rustlscargo clippy -p pingora-core --features rustls --testscargo fmt -p pingora-core -- --checkcargo test -p pingora-core --features rustls -- server::tests::test_handshake_complete_callback