[cluster] Support encrypted connections #55
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportBase: 77.50% // Head: 76.25% // Decreases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #55 +/- ##
==========================================
- Coverage 77.50% 76.25% -1.26%
==========================================
Files 46 47 +1
Lines 7799 7930 +131
==========================================
+ Hits 6045 6047 +2
- Misses 1754 1883 +129
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
Encryption support is provided by
1. `tokio_rustls`
2. `rustls`
which allow for both the NodeServer received connections and outgoing client cluster connections to utilize TLS configuration.
Integration tests added, but code-coverage will likely be low as integration tests don't count in `codecov`
```bash
$ docker compose --env-file ./ractor_cluster_integration_tests/envs/encryption.env up --build --exit-code-from node-b
...
node-a | [2023-02-21T16:58:39.401Z WARN ractor_cluster_integration_tests::tests::encryption] CA Cert SUB=10U
ponytown RSA CA
node-a | [2023-02-21T16:58:39.402Z INFO ractor_cluster_integration_tests::tests::encryption] Starting NodeServer on port 8199
node-a | [2023-02-21T16:58:39.402Z INFO ractor_cluster_integration_tests::tests::encryption] Waiting for NodeSession status updates
node-b | [2023-02-21T16:58:39.621Z WARN ractor_cluster_integration_tests::tests::encryption] CA Cert SUB=10U
ponytown RSA CA
node-b | [2023-02-21T16:58:39.621Z INFO ractor_cluster_integration_tests::tests::encryption] Starting NodeServer on port 8198
node-b | [2023-02-21T16:58:39.621Z INFO ractor_cluster_integration_tests::tests::encryption] Connecting to remote NodeServer at node-a:8199
node-b | [2023-02-21T16:58:39.623Z DEBUG rustls::client::hs] No cached session for DnsName(DnsName(DnsName("testserver.com")))
node-a | [2023-02-21T16:58:39.623Z DEBUG rustls::server::hs] decided upon suite TLS13_AES_256_GCM_SHA384
node-b | [2023-02-21T16:58:39.623Z DEBUG rustls::client::hs] Not resuming any session
[cluster] Support encrypted connections
node-b | [2023-02-21T16:58:39.624Z DEBUG rustls::client::hs] Using ciphersuite TLS13_AES_256_GCM_SHA384
node-b | [2023-02-21T16:58:39.624Z DEBUG rustls::client::tls13] Not resuming
node-b | [2023-02-21T16:58:39.624Z DEBUG rustls::client::tls13] TLS1.3 encrypted extensions: [ServerNameAck]
node-b | [2023-02-21T16:58:39.624Z DEBUG rustls::client::hs] ALPN protocol is None
node-b | [2023-02-21T16:58:39.624Z INFO ractor_cluster::node::client] TCP Session opened for 172.18.0.2:8199
node-b | [2023-02-21T16:58:39.624Z INFO ractor_cluster_integration_tests::tests::encryption] Client connected NodeServer b to NodeServer a
node-b | [2023-02-21T16:58:39.624Z INFO ractor_cluster_integration_tests::tests::encryption] Waiting for NodeSession status updates
node-a | [2023-02-21T16:58:39.624Z INFO ractor_cluster::net::listener] TCP Session opened for 172.18.0.3:34662
...
node-a exited with code 0
```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Encryption support is provided by
tokio_rustlsrustlswhich allow for both the NodeServer received connections and outgoing client cluster connections to utilize TLS configuration.
Integration tests added, but code-coverage will likely be low as integration tests don't count in
codecovNOTE: This change includes importing
rustls's test certificates so most of this PR can be ignored as it's just a copy from their repo. Anything underractor_cluster_integration_tests/test-ca/...is imported fromrustls(except for the README giving attribution).