fix: Fix default TLS configuration hostname not set (#244)

penumbra-x · Jan 1, 2025 · 44b8216 · 44b8216
1 parent 772bcc5
commit 44b8216
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 13 deletions.
diff --git a/src/tls/conn/mod.rs b/src/tls/conn/mod.rs
@@ -53,8 +53,8 @@ impl Default for HttpsLayerSettings {
             skip_session_ticket: false,
             application_settings: false,
             enable_ech_grease: false,
-            verify_hostname: false,
-            tls_sni: false,
+            verify_hostname: true,
+            tls_sni: true,
             alpn_protos: HttpVersionPref::All,
         }
     }
@@ -95,13 +95,13 @@ impl HttpsLayerSettingsBuilder {
         self
     }
 
-    /// Sets whether to enable TLS SNI. Defaults to `false`.
+    /// Sets whether to enable TLS SNI. Defaults to `true`.
     pub fn tls_sni(mut self, enable: bool) -> Self {
         self.0.tls_sni = enable;
         self
     }
 
-    /// Sets whether to enable hostname verification. Defaults to `false`.
+    /// Sets whether to enable hostname verification. Defaults to `true`.
     pub fn verify_hostname(mut self, enable: bool) -> Self {
         self.0.verify_hostname = enable;
         self

diff --git a/src/tls/mod.rs b/src/tls/mod.rs
@@ -10,13 +10,18 @@
 mod conn;
 mod ext;
 
-pub use crate::mimic::Impersonate;
+use crate::{impl_debug, tls::cert_compression::CertCompressionAlgorithm, HttpVersionPref};
 use boring::{
     error::ErrorStack,
     ssl::{SslConnector, SslMethod, SslOptions, SslVersion},
 };
-pub use conn::{HttpsConnector, MaybeHttpsStream};
+use boring::{ssl::SslCurve, x509::store::X509Store};
 use conn::{HttpsLayer, HttpsLayerSettings};
+use std::borrow::Cow;
+use typed_builder::TypedBuilder;
+
+pub use crate::mimic::Impersonate;
+pub use conn::{HttpsConnector, MaybeHttpsStream};
 pub use ext::{cert_compression, TlsBuilderExtension, TlsConnectExtension};
 
 type TlsResult<T> = Result<T, ErrorStack>;
@@ -116,13 +121,13 @@ impl BoringTlsConnector {
 
         // Create the `HttpsLayerSettings` with the default session cache capacity.
         let settings = HttpsLayerSettings::builder()
-            .session_cache_capacity(8)
             .session_cache(settings.pre_shared_key)
             .skip_session_ticket(settings.psk_skip_session_ticket)
             .alpn_protos(settings.alpn_protos)
             .application_settings(settings.application_settings)
             .enable_ech_grease(settings.enable_ech_grease)
             .tls_sni(settings.tls_sni)
+            .verify_hostname(settings.verify_hostname)
             .build();
 
         Ok(Self(HttpsLayer::with_connector_and_settings(
@@ -162,11 +167,6 @@ impl TlsInfo {
     }
 }
 
-use crate::{impl_debug, tls::cert_compression::CertCompressionAlgorithm, HttpVersionPref};
-use boring::{ssl::SslCurve, x509::store::X509Store};
-use std::borrow::Cow;
-use typed_builder::TypedBuilder;
-
 #[derive(Default)]
 pub enum RootCertsStore {
     Owned(X509Store),
@@ -224,7 +224,7 @@ where
     }
 }
 
-#[derive(TypedBuilder, Default)]
+#[derive(TypedBuilder)]
 pub struct TlsSettings {
     #[builder(default)]
     pub root_certs_store: RootCertsStore,
@@ -299,6 +299,12 @@ pub struct TlsSettings {
     pub extension_permutation_indices: Option<Cow<'static, [u8]>>,
 }
 
+impl Default for TlsSettings {
+    fn default() -> Self {
+        Self::builder().build()
+    }
+}
+
 impl_debug!(
     TlsSettings,
     {