Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rustls_{server/client}_config_builder_new_custom() parameters #203

Open
icing opened this issue Nov 9, 2021 · 2 comments
Open

rustls_{server/client}_config_builder_new_custom() parameters #203

icing opened this issue Nov 9, 2021 · 2 comments

Comments

@icing
Copy link
Collaborator

icing commented Nov 9, 2021
edited
Loading

As I see it, the new rustls_client_config_builder_new_custom and rustls_server_config_builder_new_custom require specification of protocols and ciphersuites and panic if one is NULL.

Questions:

  • how can one configure a supported cipher without mentioning the tls protocol version?
  • how can one enable a certain minimum protocol version without know all available?
  • how can one enable a specific protocol version without being aware which ciphers belong to it?
  • what is the outcome of a cipher and tls version that do not match?

Thanks for your help.
@jsha
Copy link
Collaborator

jsha commented Nov 9, 2021

how can one configure a supported cipher without mentioning the tls protocol version?
how can one enable a specific protocol version without being aware which ciphers belong to it?

@kevinburke provided a PR to support default cipher suites by passing NULL in the appropriate position: #165. Right now that's blocked on a redesign. Instead of NULL (which isn't clear to the reader of the code what it does), I'd like to have a global constant array RUSTLS_DEFAULT_CIPHER_SUITES and RUSTLS_DEFAULT_CIPHER_SUITES_LEN, so it's clear at the call site. Though perhaps our new rustls_default_cipher_suites_get() could do the same, if we can guarantee that its returned pointers are contiguous in memory (I'd have to check).

We'll also need the same treatment for protocol versions.

how can one enable a certain minimum protocol version without know all available?

I think for this we need to add a list of supported_tls_versions or similar, and guarantee it is in sorted order.

what is the outcome of a cipher and tls version that do not match?

There will be an error returned from rustls_{client,server}_config_builder_new_custom. We should document that. According to https://docs.rs/rustls/0.20.0/src/rustls/builder.rs.html#211-239, the error kind will be "General." We should file an upstream ticket to get a more specific error for that case.

@icing
Copy link
Collaborator Author

icing commented Nov 9, 2021

Thanks for clarifying. I think passing NULL for default is quite common in a C API, but I have no qualms with passing any other constant you prefer.

@jsha jsha mentioned this issue Nov 18, 2021
Closed
@divergentdave divergentdave mentioned this issue Nov 19, 2021
Merged
jsha pushed a commit that referenced this issue Nov 19, 2021
@divergentdave
client: add ciphersuite and version arrays (#242)
b30b051 
This adds arrays of ciphersuites and versions as suggested in #165 and #203.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@icing @jsha