pub struct SslAcceptorBuilder(/* private fields */);
Expand description
A builder for SslAcceptor
s.
Implementations§
source§impl SslAcceptorBuilder
impl SslAcceptorBuilder
sourcepub fn build(self) -> SslAcceptor
pub fn build(self) -> SslAcceptor
Consumes the builder, returning a SslAcceptor
.
Methods from Deref<Target = SslContextBuilder>§
sourcepub fn set_verify(&mut self, mode: SslVerifyMode)
pub fn set_verify(&mut self, mode: SslVerifyMode)
Configures the certificate verification method for new connections.
This corresponds to SSL_CTX_set_verify
.
sourcepub fn set_verify_callback<F>(&mut self, mode: SslVerifyMode, verify: F)
pub fn set_verify_callback<F>(&mut self, mode: SslVerifyMode, verify: F)
Configures the certificate verification method for new connections and registers a verification callback.
The callback is passed a boolean indicating if OpenSSL’s internal verification succeeded as
well as a reference to the X509StoreContext
which can be used to examine the certificate
chain. It should return a boolean indicating if verification succeeded.
This corresponds to SSL_CTX_set_verify
.
sourcepub fn set_servername_callback<F>(&mut self, callback: F)
pub fn set_servername_callback<F>(&mut self, callback: F)
Configures the server name indication (SNI) callback for new connections.
SNI is used to allow a single server to handle requests for multiple domains, each of which has its own certificate chain and configuration.
Obtain the server name with the servername
method and then set the corresponding context
with set_ssl_context
This corresponds to SSL_CTX_set_tlsext_servername_callback
.
sourcepub fn set_verify_depth(&mut self, depth: u32)
pub fn set_verify_depth(&mut self, depth: u32)
Sets the certificate verification depth.
If the peer’s certificate chain is longer than this value, verification will fail.
This corresponds to SSL_CTX_set_verify_depth
.
sourcepub fn set_verify_cert_store(
&mut self,
cert_store: X509Store,
) -> Result<(), ErrorStack>
pub fn set_verify_cert_store( &mut self, cert_store: X509Store, ) -> Result<(), ErrorStack>
Sets a custom certificate store for verifying peer certificates.
Requires OpenSSL 1.0.2 or newer.
This corresponds to SSL_CTX_set0_verify_cert_store
.
sourcepub fn set_cert_store(&mut self, cert_store: X509Store)
pub fn set_cert_store(&mut self, cert_store: X509Store)
Replaces the context’s certificate store.
This corresponds to SSL_CTX_set_cert_store
.
sourcepub fn set_read_ahead(&mut self, read_ahead: bool)
pub fn set_read_ahead(&mut self, read_ahead: bool)
Controls read ahead behavior.
If enabled, OpenSSL will read as much data as is available from the underlying stream, instead of a single record at a time.
It has no effect when used with DTLS.
This corresponds to SSL_CTX_set_read_ahead
.
sourcepub fn set_mode(&mut self, mode: SslMode) -> SslMode
pub fn set_mode(&mut self, mode: SslMode) -> SslMode
Sets the mode used by the context, returning the previous mode.
This corresponds to SSL_CTX_set_mode
.
sourcepub fn set_tmp_dh(&mut self, dh: &DhRef<Params>) -> Result<(), ErrorStack>
pub fn set_tmp_dh(&mut self, dh: &DhRef<Params>) -> Result<(), ErrorStack>
Sets the parameters to be used during ephemeral Diffie-Hellman key exchange.
This corresponds to SSL_CTX_set_tmp_dh
.
sourcepub fn set_tmp_dh_callback<F>(&mut self, callback: F)
pub fn set_tmp_dh_callback<F>(&mut self, callback: F)
Sets the callback which will generate parameters to be used during ephemeral Diffie-Hellman key exchange.
The callback is provided with a reference to the Ssl
for the session, as well as a boolean
indicating if the selected cipher is export-grade, and the key length. The export and key
length options are archaic and should be ignored in almost all cases.
This corresponds to SSL_CTX_set_tmp_dh_callback
.
sourcepub fn set_tmp_ecdh(&mut self, key: &EcKeyRef<Params>) -> Result<(), ErrorStack>
pub fn set_tmp_ecdh(&mut self, key: &EcKeyRef<Params>) -> Result<(), ErrorStack>
Sets the parameters to be used during ephemeral elliptic curve Diffie-Hellman key exchange.
This corresponds to SSL_CTX_set_tmp_ecdh
.
sourcepub fn set_default_verify_paths(&mut self) -> Result<(), ErrorStack>
pub fn set_default_verify_paths(&mut self) -> Result<(), ErrorStack>
Use the default locations of trusted certificates for verification.
These locations are read from the SSL_CERT_FILE
and SSL_CERT_DIR
environment variables
if present, or defaults specified at OpenSSL build time otherwise.
This corresponds to SSL_CTX_set_default_verify_paths
.
sourcepub fn set_ca_file<P>(&mut self, file: P) -> Result<(), ErrorStack>
pub fn set_ca_file<P>(&mut self, file: P) -> Result<(), ErrorStack>
Loads trusted root certificates from a file.
The file should contain a sequence of PEM-formatted CA certificates.
This corresponds to SSL_CTX_load_verify_locations
.
sourcepub fn set_client_ca_list(&mut self, list: Stack<X509Name>)
pub fn set_client_ca_list(&mut self, list: Stack<X509Name>)
Sets the list of CA names sent to the client.
The CA certificates must still be added to the trust root - they are not automatically set as trusted by this method.
This corresponds to SSL_CTX_set_client_CA_list
.
sourcepub fn add_client_ca(&mut self, cacert: &X509Ref) -> Result<(), ErrorStack>
pub fn add_client_ca(&mut self, cacert: &X509Ref) -> Result<(), ErrorStack>
Add the provided CA certificate to the list sent by the server to the client when requesting client-side TLS authentication.
This corresponds to SSL_CTX_add_client_CA
.
sourcepub fn set_session_id_context(
&mut self,
sid_ctx: &[u8],
) -> Result<(), ErrorStack>
pub fn set_session_id_context( &mut self, sid_ctx: &[u8], ) -> Result<(), ErrorStack>
Set the context identifier for sessions.
This value identifies the server’s session cache to clients, telling them when they’re able to reuse sessions. It should be set to a unique value per server, unless multiple servers share a session cache.
This value should be set when using client certificates, or each request will fail its handshake and need to be restarted.
This corresponds to SSL_CTX_set_session_id_context
.
sourcepub fn set_certificate_file<P>(
&mut self,
file: P,
file_type: SslFiletype,
) -> Result<(), ErrorStack>
pub fn set_certificate_file<P>( &mut self, file: P, file_type: SslFiletype, ) -> Result<(), ErrorStack>
Loads a leaf certificate from a file.
Only a single certificate will be loaded - use add_extra_chain_cert
to add the remainder
of the certificate chain, or set_certificate_chain_file
to load the entire chain from a
single file.
This corresponds to SSL_CTX_use_certificate_file
.
sourcepub fn set_certificate_chain_file<P>(
&mut self,
file: P,
) -> Result<(), ErrorStack>
pub fn set_certificate_chain_file<P>( &mut self, file: P, ) -> Result<(), ErrorStack>
Loads a certificate chain from a file.
The file should contain a sequence of PEM-formatted certificates, the first being the leaf certificate, and the remainder forming the chain of certificates up to and including the trusted root certificate.
This corresponds to SSL_CTX_use_certificate_chain_file
.
sourcepub fn set_certificate(&mut self, cert: &X509Ref) -> Result<(), ErrorStack>
pub fn set_certificate(&mut self, cert: &X509Ref) -> Result<(), ErrorStack>
Sets the leaf certificate.
Use add_extra_chain_cert
to add the remainder of the certificate chain.
This corresponds to SSL_CTX_use_certificate
.
sourcepub fn add_extra_chain_cert(&mut self, cert: X509) -> Result<(), ErrorStack>
pub fn add_extra_chain_cert(&mut self, cert: X509) -> Result<(), ErrorStack>
Appends a certificate to the certificate chain.
This chain should contain all certificates necessary to go from the certificate specified by
set_certificate
to a trusted root.
This corresponds to SSL_CTX_add_extra_chain_cert
.
sourcepub fn set_private_key_file<P>(
&mut self,
file: P,
file_type: SslFiletype,
) -> Result<(), ErrorStack>
pub fn set_private_key_file<P>( &mut self, file: P, file_type: SslFiletype, ) -> Result<(), ErrorStack>
Loads the private key from a file.
This corresponds to SSL_CTX_use_PrivateKey_file
.
sourcepub fn set_private_key<T>(&mut self, key: &PKeyRef<T>) -> Result<(), ErrorStack>where
T: HasPrivate,
pub fn set_private_key<T>(&mut self, key: &PKeyRef<T>) -> Result<(), ErrorStack>where
T: HasPrivate,
Sets the private key.
This corresponds to SSL_CTX_use_PrivateKey
.
sourcepub fn set_cipher_list(&mut self, cipher_list: &str) -> Result<(), ErrorStack>
pub fn set_cipher_list(&mut self, cipher_list: &str) -> Result<(), ErrorStack>
Sets the list of supported ciphers for protocols before TLSv1.3.
The set_ciphersuites
method controls the cipher suites for TLSv1.3.
See ciphers
for details on the format.
This corresponds to SSL_CTX_set_cipher_list
.
sourcepub fn set_ciphersuites(&mut self, cipher_list: &str) -> Result<(), ErrorStack>
pub fn set_ciphersuites(&mut self, cipher_list: &str) -> Result<(), ErrorStack>
Sets the list of supported ciphers for the TLSv1.3 protocol.
The set_cipher_list
method controls the cipher suites for protocols before TLSv1.3.
The format consists of TLSv1.3 cipher suite names separated by :
characters in order of
preference.
Requires OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer.
This corresponds to SSL_CTX_set_ciphersuites
.
sourcepub fn set_options(&mut self, option: SslOptions) -> SslOptions
pub fn set_options(&mut self, option: SslOptions) -> SslOptions
Sets the options used by the context, returning the old set.
§Note
This enables the specified options, but does not disable unspecified options. Use
clear_options
for that.
This corresponds to SSL_CTX_set_options
.
sourcepub fn options(&self) -> SslOptions
pub fn options(&self) -> SslOptions
Returns the options used by the context.
This corresponds to SSL_CTX_get_options
.
sourcepub fn clear_options(&mut self, option: SslOptions) -> SslOptions
pub fn clear_options(&mut self, option: SslOptions) -> SslOptions
Clears the options used by the context, returning the old set.
This corresponds to SSL_CTX_clear_options
.
sourcepub fn set_min_proto_version(
&mut self,
version: Option<SslVersion>,
) -> Result<(), ErrorStack>
pub fn set_min_proto_version( &mut self, version: Option<SslVersion>, ) -> Result<(), ErrorStack>
Sets the minimum supported protocol version.
A value of None
will enable protocol versions down to the lowest version supported by
OpenSSL.
Requires BoringSSL or OpenSSL 1.1.0 or LibreSSL 2.6.1 or newer.
This corresponds to SSL_CTX_set_min_proto_version
.
sourcepub fn set_max_proto_version(
&mut self,
version: Option<SslVersion>,
) -> Result<(), ErrorStack>
pub fn set_max_proto_version( &mut self, version: Option<SslVersion>, ) -> Result<(), ErrorStack>
Sets the maximum supported protocol version.
A value of None
will enable protocol versions up to the highest version supported by
OpenSSL.
Requires BoringSSL or OpenSSL 1.1.0 or or LibreSSL 2.6.1 or newer.
This corresponds to SSL_CTX_set_max_proto_version
.
sourcepub fn min_proto_version(&mut self) -> Option<SslVersion>
pub fn min_proto_version(&mut self) -> Option<SslVersion>
Gets the minimum supported protocol version.
A value of None
indicates that all versions down to the lowest version supported by
OpenSSL are enabled.
Requires OpenSSL 1.1.0g or LibreSSL 2.7.0 or newer.
This corresponds to SSL_CTX_get_min_proto_version
.
sourcepub fn max_proto_version(&mut self) -> Option<SslVersion>
pub fn max_proto_version(&mut self) -> Option<SslVersion>
Gets the maximum supported protocol version.
A value of None
indicates that all versions up to the highest version supported by
OpenSSL are enabled.
Requires OpenSSL 1.1.0g or LibreSSL 2.7.0 or newer.
This corresponds to SSL_CTX_get_max_proto_version
.
sourcepub fn set_alpn_protos(&mut self, protocols: &[u8]) -> Result<(), ErrorStack>
pub fn set_alpn_protos(&mut self, protocols: &[u8]) -> Result<(), ErrorStack>
Sets the protocols to sent to the server for Application Layer Protocol Negotiation (ALPN).
The input must be in ALPN “wire format”. It consists of a sequence of supported protocol
names prefixed by their byte length. For example, the protocol list consisting of spdy/1
and http/1.1
is encoded as b"\x06spdy/1\x08http/1.1"
. The protocols are ordered by
preference.
Requires BoringSSL or OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer.
This corresponds to SSL_CTX_set_alpn_protos
.
sourcepub fn set_tlsext_use_srtp(&mut self, protocols: &str) -> Result<(), ErrorStack>
pub fn set_tlsext_use_srtp(&mut self, protocols: &str) -> Result<(), ErrorStack>
Enables the DTLS extension “use_srtp” as defined in RFC5764.
This corresponds to SSL_CTX_set_tlsext_use_srtp
.
sourcepub fn set_alpn_select_callback<F>(&mut self, callback: F)
pub fn set_alpn_select_callback<F>(&mut self, callback: F)
Sets the callback used by a server to select a protocol for Application Layer Protocol Negotiation (ALPN).
The callback is provided with the client’s protocol list in ALPN wire format. See the
documentation for SslContextBuilder::set_alpn_protos
for details. It should return one
of those protocols on success. The select_next_proto
function implements the standard
protocol selection algorithm.
Requires OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer.
This corresponds to SSL_CTX_set_alpn_select_cb
.
sourcepub fn check_private_key(&self) -> Result<(), ErrorStack>
pub fn check_private_key(&self) -> Result<(), ErrorStack>
Checks for consistency between the private key and certificate.
This corresponds to SSL_CTX_check_private_key
.
sourcepub fn cert_store(&self) -> &X509StoreBuilderRef
pub fn cert_store(&self) -> &X509StoreBuilderRef
Returns a shared reference to the context’s certificate store.
This corresponds to SSL_CTX_get_cert_store
.
sourcepub fn cert_store_mut(&mut self) -> &mut X509StoreBuilderRef
pub fn cert_store_mut(&mut self) -> &mut X509StoreBuilderRef
Returns a mutable reference to the context’s certificate store.
This corresponds to SSL_CTX_get_cert_store
.
sourcepub fn verify_param(&self) -> &X509VerifyParamRef
pub fn verify_param(&self) -> &X509VerifyParamRef
Returns a reference to the X509 verification configuration.
Requires BoringSSL or OpenSSL 1.0.2 or newer.
This corresponds to SSL_CTX_get0_param
.
sourcepub fn verify_param_mut(&mut self) -> &mut X509VerifyParamRef
pub fn verify_param_mut(&mut self) -> &mut X509VerifyParamRef
Returns a mutable reference to the X509 verification configuration.
Requires BoringSSL or OpenSSL 1.0.2 or newer.
This corresponds to SSL_CTX_get0_param
.
sourcepub fn set_status_callback<F>(&mut self, callback: F) -> Result<(), ErrorStack>
pub fn set_status_callback<F>(&mut self, callback: F) -> Result<(), ErrorStack>
Sets the callback dealing with OCSP stapling.
On the client side, this callback is responsible for validating the OCSP status response
returned by the server. The status may be retrieved with the SslRef::ocsp_status
method.
A response of Ok(true)
indicates that the OCSP status is valid, and a response of
Ok(false)
indicates that the OCSP status is invalid and the handshake should be
terminated.
On the server side, this callback is responsible for setting the OCSP status response to be
returned to clients. The status may be set with the SslRef::set_ocsp_status
method. A
response of Ok(true)
indicates that the OCSP status should be returned to the client, and
Ok(false)
indicates that the status should not be returned to the client.
This corresponds to SSL_CTX_set_tlsext_status_cb
.
sourcepub fn set_psk_client_callback<F>(&mut self, callback: F)
pub fn set_psk_client_callback<F>(&mut self, callback: F)
Sets the callback for providing an identity and pre-shared key for a TLS-PSK client.
The callback will be called with the SSL context, an identity hint if one was provided by the server, a mutable slice for each of the identity and pre-shared key bytes. The identity must be written as a null-terminated C string.
This corresponds to SSL_CTX_set_psk_client_callback
.
pub fn set_psk_callback<F>(&mut self, callback: F)
set_psk_client_callback
sourcepub fn set_psk_server_callback<F>(&mut self, callback: F)
pub fn set_psk_server_callback<F>(&mut self, callback: F)
Sets the callback for providing an identity and pre-shared key for a TLS-PSK server.
The callback will be called with the SSL context, an identity provided by the client, and, a mutable slice for the pre-shared key bytes. The callback returns the number of bytes in the pre-shared key.
This corresponds to SSL_CTX_set_psk_server_callback
.
sourcepub fn set_new_session_callback<F>(&mut self, callback: F)
pub fn set_new_session_callback<F>(&mut self, callback: F)
Sets the callback which is called when new sessions are negotiated.
This can be used by clients to implement session caching. While in TLSv1.2 the session is
available to access via SslRef::session
immediately after the handshake completes, this
is not the case for TLSv1.3. There, a session is not generally available immediately, and
the server may provide multiple session tokens to the client over a single session. The new
session callback is a portable way to deal with both cases.
Note that session caching must be enabled for the callback to be invoked, and it defaults
off for clients. set_session_cache_mode
controls that behavior.
This corresponds to SSL_CTX_sess_set_new_cb
.
sourcepub fn set_remove_session_callback<F>(&mut self, callback: F)
pub fn set_remove_session_callback<F>(&mut self, callback: F)
Sets the callback which is called when sessions are removed from the context.
Sessions can be removed because they have timed out or because they are considered faulty.
This corresponds to SSL_CTX_sess_set_remove_cb
.
sourcepub unsafe fn set_get_session_callback<F>(&mut self, callback: F)
pub unsafe fn set_get_session_callback<F>(&mut self, callback: F)
Sets the callback which is called when a client proposed to resume a session but it was not found in the internal cache.
The callback is passed a reference to the session ID provided by the client. It should return the session corresponding to that ID if available. This is only used for servers, not clients.
§Safety
The returned SslSession
must not be associated with a different SslContext
.
This corresponds to SSL_CTX_sess_set_get_cb
.
sourcepub fn set_keylog_callback<F>(&mut self, callback: F)
pub fn set_keylog_callback<F>(&mut self, callback: F)
Sets the TLS key logging callback.
The callback is invoked whenever TLS key material is generated, and is passed a line of NSS SSLKEYLOGFILE-formatted text. This can be used by tools like Wireshark to decrypt message traffic. The line does not contain a trailing newline.
Requires OpenSSL 1.1.1 or newer.
This corresponds to SSL_CTX_set_keylog_callback
.
sourcepub fn set_session_cache_mode(
&mut self,
mode: SslSessionCacheMode,
) -> SslSessionCacheMode
pub fn set_session_cache_mode( &mut self, mode: SslSessionCacheMode, ) -> SslSessionCacheMode
Sets the session caching mode use for connections made with the context.
Returns the previous session caching mode.
This corresponds to SSL_CTX_set_session_cache_mode
.
Sets the callback for generating an application cookie for TLS1.3 stateless handshakes.
The callback will be called with the SSL context and a slice into which the cookie should be written. The callback should return the number of bytes written.
This corresponds to SSL_CTX_set_stateless_cookie_generate_cb
.
Sets the callback for verifying an application cookie for TLS1.3 stateless handshakes.
The callback will be called with the SSL context and the cookie supplied by the client. It should return true if and only if the cookie is valid.
Note that the OpenSSL implementation independently verifies the integrity of application cookies using an HMAC before invoking the supplied callback.
This corresponds to SSL_CTX_set_stateless_cookie_verify_cb
.
Sets the callback for generating a DTLSv1 cookie
The callback will be called with the SSL context and a slice into which the cookie should be written. The callback should return the number of bytes written.
This corresponds to SSL_CTX_set_cookie_generate_cb
.
Sets the callback for verifying a DTLSv1 cookie
The callback will be called with the SSL context and the cookie supplied by the client. It should return true if and only if the cookie is valid.
This corresponds to SSL_CTX_set_cookie_verify_cb
.
sourcepub fn set_ex_data<T>(&mut self, index: Index<SslContext, T>, data: T)
pub fn set_ex_data<T>(&mut self, index: Index<SslContext, T>, data: T)
Sets the extra data at the specified index.
This can be used to provide data to callbacks registered with the context. Use the
SslContext::new_ex_index
method to create an Index
.
This corresponds to SSL_CTX_set_ex_data
.
sourcepub fn add_custom_ext<AddFn, ParseFn, T>(
&mut self,
ext_type: u16,
context: ExtensionContext,
add_cb: AddFn,
parse_cb: ParseFn,
) -> Result<(), ErrorStack>
pub fn add_custom_ext<AddFn, ParseFn, T>( &mut self, ext_type: u16, context: ExtensionContext, add_cb: AddFn, parse_cb: ParseFn, ) -> Result<(), ErrorStack>
Adds a custom extension for a TLS/DTLS client or server for all supported protocol versions.
Requires OpenSSL 1.1.1 or newer.
This corresponds to SSL_CTX_add_custom_ext
.
sourcepub fn set_max_early_data(&mut self, bytes: u32) -> Result<(), ErrorStack>
pub fn set_max_early_data(&mut self, bytes: u32) -> Result<(), ErrorStack>
Sets the maximum amount of early data that will be accepted on incoming connections.
Defaults to 0.
Requires OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer.
This corresponds to SSL_CTX_set_max_early_data
.
sourcepub fn set_client_hello_callback<F>(&mut self, callback: F)where
F: Fn(&mut SslRef, &mut SslAlert) -> Result<ClientHelloResponse, ErrorStack> + 'static + Sync + Send,
pub fn set_client_hello_callback<F>(&mut self, callback: F)where
F: Fn(&mut SslRef, &mut SslAlert) -> Result<ClientHelloResponse, ErrorStack> + 'static + Sync + Send,
Sets a callback which will be invoked just after the client’s hello message is received.
Requires OpenSSL 1.1.1 or newer.
This corresponds to SSL_CTX_set_client_hello_cb
.
sourcepub fn set_session_cache_size(&mut self, size: i32) -> i64
pub fn set_session_cache_size(&mut self, size: i32) -> i64
Sets the context’s session cache size limit, returning the previous limit.
A value of 0 means that the cache size is unbounded.
This corresponds to SSL_CTX_sess_set_cache_size
.
sourcepub fn set_sigalgs_list(&mut self, sigalgs: &str) -> Result<(), ErrorStack>
pub fn set_sigalgs_list(&mut self, sigalgs: &str) -> Result<(), ErrorStack>
Sets the context’s supported signature algorithms.
Requires OpenSSL 1.0.2 or newer.
This corresponds to SSL_CTX_set1_sigalgs_list
.
sourcepub fn set_groups_list(&mut self, groups: &str) -> Result<(), ErrorStack>
pub fn set_groups_list(&mut self, groups: &str) -> Result<(), ErrorStack>
Sets the context’s supported elliptic curve groups.
Requires BoringSSL or OpenSSL 1.1.1 or LibreSSL 2.5.1 or newer.
This corresponds to SSL_CTX_set1_groups_list
.
sourcepub fn set_num_tickets(&mut self, num_tickets: usize) -> Result<(), ErrorStack>
pub fn set_num_tickets(&mut self, num_tickets: usize) -> Result<(), ErrorStack>
Sets the number of TLS 1.3 session tickets that will be sent to a client after a full handshake.
Requires OpenSSL 1.1.1 or newer.
This corresponds to SSL_CTX_set_num_tickets
.
sourcepub fn set_security_level(&mut self, level: u32)
pub fn set_security_level(&mut self, level: u32)
Set the context’s security level to a value between 0 and 5, inclusive. A security value of 0 allows allows all parameters and algorithms.
Requires OpenSSL 1.1.0 or newer.
This corresponds to SSL_CTX_set_security_level
.