Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exposing SslContext for flexibility (e.g. client-side certs, etc) #471

Closed
mikedilger opened this issue Apr 21, 2015 · 5 comments
Closed

Exposing SslContext for flexibility (e.g. client-side certs, etc) #471

mikedilger opened this issue Apr 21, 2015 · 5 comments
Labels
A-server Area: server.

Comments

@mikedilger
Copy link
Contributor

Currently, net::HttpListener::https() takes a certificate and a key, and sets up an SslContext with a lot of assumptions. For example, it sets the DEFAULT cipher list. It also sets SSL_VERIFY_NONE.
This is called by Server::listen_threads(). I'm trying to make changes that allow the caller to pass in an SslContext.

Currently the SSL configuration is declared when the Server is created, by passing a certificate and a key to Server::https(). Unfortunately this scheme will not direclty work with a passed in SslContext, because if an SslContext is setup in the Server struct, it moves when passed on to HttpListener::https(), causing a "use of partially moved value" error. This cannot be solved via clone() because SslContext does not implement clone().

If Server::listen_threads() accepted the SSL information at that point (rather than owning it in it's struct), this would cause a lot of breaking changes.

OTOH, If HttpListener kept a reference to an SslContext (instead of owning it), it would propagate another annoying lifetime parameter over a lot of code.

I don't see a clearly preferable way of implementing this. Given a preferred direction, I'd be happy to make the changes necessary.
@mikedilger
Copy link
Contributor Author

Another option I thought of: HttpListener could get a separate listen method (where http and https would do everything except the bind step), and then a new method could be created that gets a mutable reference to the SslContext, to be called prior to listen.

Also I forgot to cc @seanmonstar

@seanmonstar
Copy link
Member

@mikedilger I'm not sure I follow. In listen_threads, the Server is taken by value. You can move the context out of the Server in this method.

@mikedilger
Copy link
Contributor Author

self.with_listener(listener, threads) requires both self (Server) and listener. If the context is moved, then 'self' is no longer available. See https://github.com/mikedilger/hyper/tree/ssl_context

@seanmonstar
Copy link
Member

Ohhh, I see what you mean. Ok, so the with_listener method takes self, but it only needs to access self.handler. What about creating a private free function with_listener, that the method calls as with_listener(self.handler, listener, threads). Then, listen_threads can skip the internal method, and just move out both the ssl and the handler in the same function. Make sense?

mikedilger added a commit to mikedilger/hyper that referenced this issue Apr 26, 2015
@mikedilger
refactor(server): make with_listener a free function
cc1b6c2 
Allow a Server to operate without requiring the entire Server struct
to move into the with_listener function (instead only the handler
function needs to move). This, allows other members to not move, or
move separately, which will be needed for the next commit.  See hyperium#471
mikedilger added a commit to mikedilger/hyper that referenced this issue Apr 26, 2015
@mikedilger
feat(server): allow consumer to supply an SslContext
7a6a3f8 
Closes hyperium#471
@mikedilger mikedilger mentioned this issue Apr 26, 2015
Merged
@mikedilger
Copy link
Contributor Author

I'm glad I asked, because I hadn't thought of that.

I did this in 3 commits. See PR #479

mikedilger added a commit to mikedilger/hyper that referenced this issue Apr 26, 2015
@mikedilger
refactor(server): make with_listener a free function
fef04d2 
Allow a Server to operate without requiring the entire Server struct
to move into the with_listener function (instead only the handler
function needs to move). This, allows other members to not move, or
move separately, which will be needed for the next commit.  See hyperium#471
@seanmonstar seanmonstar added the A-server Area: server. label Apr 27, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-server Area: server.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@seanmonstar @mikedilger