From e8e2ca1526783b2fe4f32dc62e5d6d108c76ea2b Mon Sep 17 00:00:00 2001 From: Nikolay Kim Date: Thu, 25 Jan 2018 10:24:04 -0800 Subject: [PATCH] refactor alpn support; upgrade openssl to 0.10 --- CHANGES.md | 9 +++++-- Cargo.toml | 10 +++----- examples/tls/Cargo.toml | 1 + examples/tls/cert.pem | 31 +++++++++++++++++++++++ examples/tls/identity.pfx | Bin 4101 -> 0 bytes examples/tls/key.pem | 51 ++++++++++++++++++++++++++++++++++++++ examples/tls/src/main.rs | 17 ++++++------- guide/src/qs_13.md | 14 ++++++----- src/server/srv.rs | 30 +++++++++++----------- 9 files changed, 124 insertions(+), 39 deletions(-) create mode 100644 examples/tls/cert.pem delete mode 100644 examples/tls/identity.pfx create mode 100644 examples/tls/key.pem diff --git a/CHANGES.md b/CHANGES.md index e7812472..760dbcc5 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,10 +1,15 @@ # Changes -## 0.3.3 (2018-01-xx) +## 0.3.3 (2018-01-25) * Stop processing any events after context stop -* Re-enable write back pressure for h1 connections +* Re-enable write back-pressure for h1 connections + +* Refactor HttpServer::start_ssl() method + +* Upgrade openssl to 0.10 + ## 0.3.2 (2018-01-21) diff --git a/Cargo.toml b/Cargo.toml index 371aad29..46afb692 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "actix-web" -version = "0.3.2" +version = "0.3.3" authors = ["Nikolay Kim "] description = "Actix web framework" readme = "README.md" @@ -71,15 +71,12 @@ native-tls = { version="0.1", optional = true } tokio-tls = { version="0.1", optional = true } # openssl -tokio-openssl = { version="0.1", optional = true } +openssl = { version="0.10", optional = true } +tokio-openssl = { version="0.2", optional = true } [dependencies.actix] version = "^0.4.5" -[dependencies.openssl] -version = "0.9" -optional = true - [dev-dependencies] env_logger = "0.5" reqwest = "0.8" @@ -93,7 +90,6 @@ version_check = "0.1" [profile.release] lto = true opt-level = 3 -# debug = true [workspace] members = [ diff --git a/examples/tls/Cargo.toml b/examples/tls/Cargo.toml index 024d7fc1..4d227c7c 100644 --- a/examples/tls/Cargo.toml +++ b/examples/tls/Cargo.toml @@ -12,3 +12,4 @@ path = "src/main.rs" env_logger = "0.5" actix = "^0.4.2" actix-web = { path = "../../", features=["alpn"] } +openssl = { version="0.10", features = ["v110"] } diff --git a/examples/tls/cert.pem b/examples/tls/cert.pem new file mode 100644 index 00000000..159aacea --- /dev/null +++ b/examples/tls/cert.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFPjCCAyYCCQDvLYiYD+jqeTANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJV +UzELMAkGA1UECAwCQ0ExCzAJBgNVBAcMAlNGMRAwDgYDVQQKDAdDb21wYW55MQww +CgYDVQQLDANPcmcxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xODAxMjUx +NzQ2MDFaFw0xOTAxMjUxNzQ2MDFaMGExCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJD +QTELMAkGA1UEBwwCU0YxEDAOBgNVBAoMB0NvbXBhbnkxDDAKBgNVBAsMA09yZzEY +MBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A +MIICCgKCAgEA2WzIA2IpVR9Tb9EFhITlxuhE5rY2a3S6qzYNzQVgSFggxXEPn8k1 +sQEcer5BfAP986Sck3H0FvB4Bt/I8PwOtUCmhwcc8KtB5TcGPR4fjXnrpC+MIK5U +NLkwuyBDKziYzTdBj8kUFX1WxmvEHEgqToPOZfBgsS71cJAR/zOWraDLSRM54jXy +voLZN4Ti9rQagQrvTQ44Vz5ycDQy7UxtbUGh1CVv69vNVr7/SOOh/Nw5FNOZWLWr +odGyoec5wh9iqRZgRqiTUc6Lt7V2RWc2X2gjwST2UfI+U46Ip3oaQ7ZD4eAkoqND +xdniBZAykVG3c/99ux4BAESTF8fsNch6UticBxYMuTu+ouvP0psfI9wwwNliJDmA +CRUTB9AgRynbL1AzhqQoDfsb98IZfjfNOpwnwuLwpMAPhbgd5KNdZaIJ4Hb6/stI +yFElOExxd3TAxF2Gshd/lq1JcNHAZ1DSXV5MvOWT/NWgXwbIzUgQ8eIi+HuDYX2U +UuaB6R8tbd52H7rbUv6HrfinuSlKWqjSYLkiKHkwUpoMw8y9UycRSzs1E9nPwPTO +vRXb0mNCQeBCV9FvStNVXdCUTT8LGPv87xSD2pmt7LijlE6mHLG8McfcWkzA69un +CEHIFAFDimTuN7EBljc119xWFTcHMyoZAfFF+oTqwSbBGImruCxnaJECAwEAATAN +BgkqhkiG9w0BAQsFAAOCAgEApavsgsn7SpPHfhDSN5iZs1ILZQRewJg0Bty0xPfk +3tynSW6bNH3nSaKbpsdmxxomthNSQgD2heOq1By9YzeOoNR+7Pk3s4FkASnf3ToI +JNTUasBFFfaCG96s4Yvs8KiWS/k84yaWuU8c3Wb1jXs5Rv1qE1Uvuwat1DSGXSoD +JNluuIkCsC4kWkyq5pWCGQrabWPRTWsHwC3PTcwSRBaFgYLJaR72SloHB1ot02zL +d2age9dmFRFLLCBzP+D7RojBvL37qS/HR+rQ4SoQwiVc/JzaeqSe7ZbvEH9sZYEu +ALowJzgbwro7oZflwTWunSeSGDSltkqKjvWvZI61pwfHKDahUTmZ5h2y67FuGEaC +CIOUI8dSVSPKITxaq3JL4ze2e9/0Lt7hj19YK2uUmtMAW5Tirz4Yx5lyGH9U8Wur +y/X8VPxTc4A9TMlJgkyz0hqvhbPOT/zSWB10zXh0glKAsSBryAOEDxV1UygmSir7 +YV8Qaq+oyKUTMc1MFq5vZ07M51EPaietn85t8V2Y+k/8XYltRp32NxsypxAJuyxh +g/ko6RVTrWa1sMvz/F9LFqAdKiK5eM96lh9IU4xiLg4ob8aS/GRAA8oIFkZFhLrt +tOwjIUPmEPyHWFi8dLpNuQKYalLYhuwZftG/9xV+wqhKGZO9iPrpHSYBRTap8w2y +1QU= +-----END CERTIFICATE----- diff --git a/examples/tls/identity.pfx b/examples/tls/identity.pfx deleted file mode 100644 index ac69a0289672f555f18dbcab871c7edde0845c14..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4101 zcmV+g5c=;hf)D`$0Ru3C561=xDuzgg_YDCD0ic2pxCDX^v@n7XurPuJ=LQKXhDe6@ z4FLxRpn?V1FoFft0s#Opf(6Y62`Yw2hW8Bt2LUh~1_~;MNQUitMs z1Sq+50s;sCfPw{}<#X+T_wRMWeQDK0E}M>U7Lb3ZdgD@8y}opCzFWj5KGdMxof%CJz46GvRpEF}U%J9)s~gZ8&DS}z61t(6i>!fc--h~jb$cDvRU zGoF2AL@mg>L@1{6-ratdjmN8il0ks94GzXdOgQGhIK#e$6#Y8Bj{W6eekebHL9B6Z zTAO+ohol+!k`ZfL=eX) z+bf}!yS6F%DdMI)xgHT<8xs%XV2AY@%6XTJdK$bf7ujrMcdB%<6!*-q+i<^%NxPc` z?qlODfVLp)^}^EWKUV1*Yp^e=MkdZbI27Y$Ti2P*A};*|TNmRJNfx&3hRCtMOgx>z z2cwsx8nYwO2VnDSbli{67AFr{FTR0ZD0fKCZ8 z;m8&dlz*hRkm!jzAnif!<6-F^IwrJZcms5(F)3=Q3URTqr|ZQK2Qkz2=E5LYDp
>TH6JOpl_YGLj13;m-9ACQ-$ z6;ZkcEq;Y{Un?c{pGaD-()ajm*l%?92_8@)@iKVQHOA>? zDM*7HCI#?_kUAvAhSP^4#sXOAc?&~5vI0F6M*T649Fuw}9}W7`-QyxHNF|U3*%%*vJE{#>)3U3&?L=!8=+DUU2eP{Nkq=(9TgPn#U_? zTvP^+b$ylLER66a@(;~RM7)voNEN$mSDrwi$4~Od(H_mgM(_E$GSCczXehp*@%dN_ zU=ogwOhi02&?AzVmZzM$dlt7NNyPG?`A+nlvDdce7UHKjNQgN)6LvB{R7TST9Na9+ zbm>B!F+R5x?8g8faSCF}xxvy39=?9!25J{B8AkaSQFx%Z>ykB&LNQUj+paHMUaB3{E8fc!njdOCOUGGhvW zq&$R~RjP42F5m%-8>L9*sQiSg`0r}F-Qu<8w~)LxPE>nT2T*IP8FahFm4d&>blSqW z2q3~TwmmM`Kewh|6hG)OI-YA}Dz91RfULW$)X)O`SgInavdp|UEl%M%X&M&x{dAD9`V;EZtOdkQjgITyC9VsS^J=su$mUp8A*3I{?U+&ZbIQi>+=h2Gbm7 zpJB6p8XreR&16(o*?1tUEMRRML}t3lGu{k}`96c=@_@dVUwAB>h-k8J)_mil(Kcp> z_%Li#w_pNmaItJbGd9U00G+9=C*l8CD&~q%GH(<4uXqiH;yR^OOy^>PMu*c$CMsxT z_v{wi7QOLpGNmn3^<3muv-qD{AvMN$JpZvIuvKUD^ft48XhdV0I!3nf*Vlykz&KcH z*-dP<&tWuc0*aY&mT(H-BK*}lMG9#)c2Ii-9!&IK^tJ!9eOpl2V|b-$R(HMSjUu z$v^(uq7V?lRm^rq-dIw$L>dAc?*KvgyCk?R;f7^`3}Qsx3g~j*A*erFvgU1@W7hi` zAz1X*o8)zh3l@dDfqz-*+xcfT+p#1MkLF5p#2j>K2r5$cbG#wqb?zR{taYu0b-4-J z;7S`h<<>TUl`^NZX_C%`8iPqrW3zk(PLhu4UxAL7jaaqR802T(d^55DQ*Hbi2$UEO zlp9)>QsV!GG!-)k2EFigl(PPuc<}ahzV82Om2$yIN@W&qy8T^VCX5B;6>yr8G^L{m z-j}_-uyYkyxxObR=oV`D3OU zc__m4gDt7O$Ab6gXMa(EuJk#~3YGAr4~6^J10A+i&sp^RyxLIe-(BzB2arAG_;U*7 z95N7y%?aYrD!UQt6$>qQb{Q7Y(1Y7;Q!_}xCv0FC%lWi6yg6{%v&G)~?yqp+!M|u9 z)OXIT9#25=;?bA)^|wUb-;!LE(%n{$($#I7f-yPb!*uNE5ib~kkcZk}dK&MNAuI`)#ly0C6?0pz z+z7Y#?!?hLK_E$E9@XMvwv7OHA}IzEq_+prn&Y+)v_X--%F7)UZS{t+PAgdtl%`}C zX%eX-1YViZY<7F`iv?%7%6NZyRT^M#IHlUo&}M$coE$WIt$nsyB*d(QUl?7>uYxBJ zw45ZNrxmKWa6!LRUL~ir@|#A_D_u=;+}`_6h1F9q#xuFeac+Q(tAUCg%YP2CcKbx1 z=8UF`!6zqNKyN`BDjC(7bgQ!055l9rORD6mdzwZ5Ae;sz3yXl^QcmijOMWR3PdcNj zv3U92bU+lkQ;lIK$}~)g%}cfeddP@V{r9QZU8g;7xK?FC*eCD@c}MuM!B~m%nN?)> zmByxBfWA?!!qHh4}=J@_ZTWO()T3yi|T|hbcmP90X zMGKOn!LQt<$bIXzwOZN{JvW8|*NUR*?{Z>bE2E@8bjgN8pqs2utw5r!Arl7+O#jkK zL?&G2SxC3w)10NAn8&rOZkxTb?p)({`&wQ`g0TJ*N)^z!(CN%6aN!DyoQ^vVNVK!H z4D-nTGNAHROL{4oVgZuxS~(ovbGx^@3n8)>G93Pkm!=uVKQLl1#?fe8(RZOvJav4N zQp71+ZEAW<27AVq2tH6t^Yt4g2-CjR<^IX@V~=hcXO`vb_(Z5#HzuUb&zaTzbjd;W z2&vr;pl(nLqjPP-+JHR8pQRQNyHs#g!6_{YW}Ly0z&@LLCHn{OP-S7n=M~YN3~@jY zs|RcU`0gwwlhNuxXb)GZ^?Oh)WM`%PJ`VT35U%f!-xz?%d5>V$8r~HYd5i|X;ghR& znCL%d$CFY^$}7BRMtZ(N%oJjM6VI;=$Z;kg5;v}EY}(?Zq`QWkcx_kHMujKA1WMse z+sgk`PC*@^YKZc8y!-NU4&=F*?4b%8xi2(aK5=AI{)jtNzc>>!|3RyHduMMtChroh z9eE5+?@xZ+i|z|WqmOtUqSE<7Gd7iR4gk2;$Cs7#37-292-7%!y&1RI;qphuY|IqQ zYZdk)`hfxNPhpu@u_^CY&MKW7`=XW&0#@V}AsMRO!4!YbQ~dy@#(<#SD%8)Y4BHih zQbVr!V{QTpci2?S*2Xa Result { fn main() { if ::std::env::var("RUST_LOG").is_err() { - ::std::env::set_var("RUST_LOG", "actix_web=trace"); + ::std::env::set_var("RUST_LOG", "actix_web=info"); } let _ = env_logger::init(); let sys = actix::System::new("ws-example"); - let mut file = File::open("identity.pfx").unwrap(); - let mut pkcs12 = vec![]; - file.read_to_end(&mut pkcs12).unwrap(); - let pkcs12 = Pkcs12::from_der(&pkcs12).unwrap().parse("12345").unwrap(); + // load ssl keys + let mut builder = SslAcceptor::mozilla_intermediate(SslMethod::tls()).unwrap(); + builder.set_private_key_file("key.pem", SslFiletype::PEM).unwrap(); + builder.set_certificate_chain_file("cert.pem").unwrap(); let addr = HttpServer::new( || Application::new() @@ -44,7 +43,7 @@ fn main() { .body(Body::Empty) }))) .bind("127.0.0.1:8443").unwrap() - .start_ssl(&pkcs12).unwrap(); + .start_ssl(builder).unwrap(); println!("Started http server: 127.0.0.1:8443"); let _ = sys.run(); diff --git a/guide/src/qs_13.md b/guide/src/qs_13.md index c6db174b..d0d79497 100644 --- a/guide/src/qs_13.md +++ b/guide/src/qs_13.md @@ -12,24 +12,26 @@ With enable `alpn` feature `HttpServer` provides ```toml [dependencies] -actix-web = { git = "https://github.com/actix/actix-web", features=["alpn"] } +actix-web = { version = "0.3.3", features=["alpn"] } +openssl = { version="0.10", features = ["v110"] } ``` ```rust,ignore use std::fs::File; use actix_web::*; +use openssl::ssl::{SslMethod, SslAcceptor, SslFiletype}; fn main() { - let mut file = File::open("identity.pfx").unwrap(); - let mut pkcs12 = vec![]; - file.read_to_end(&mut pkcs12).unwrap(); - let pkcs12 = Pkcs12::from_der(&pkcs12).unwrap().parse("12345").unwrap(); + // load ssl keys + let mut builder = SslAcceptor::mozilla_intermediate(SslMethod::tls()).unwrap(); + builder.set_private_key_file("key.pem", SslFiletype::PEM).unwrap(); + builder.set_certificate_chain_file("cert.pem").unwrap(); HttpServer::new( || Application::new() .resource("/index.html", |r| r.f(index))) .bind("127.0.0.1:8080").unwrap(); - .serve_ssl(pkcs12).unwrap(); + .serve_ssl(builder).unwrap(); } ``` diff --git a/src/server/srv.rs b/src/server/srv.rs index 16c7e34c..e000c2f0 100644 --- a/src/server/srv.rs +++ b/src/server/srv.rs @@ -21,9 +21,7 @@ use native_tls::TlsAcceptor; use tokio_tls::TlsStream; #[cfg(feature="alpn")] -use openssl::ssl::{SslMethod, SslAcceptorBuilder}; -#[cfg(feature="alpn")] -use openssl::pkcs12::ParsedPkcs12; +use openssl::ssl::{AlpnError, SslAcceptorBuilder}; #[cfg(feature="alpn")] use tokio_openssl::SslStream; @@ -401,23 +399,25 @@ impl HttpServer, net::SocketAddr, H, /// Start listening for incoming tls connections. /// /// This method sets alpn protocols to "h2" and "http/1.1" - pub fn start_ssl(mut self, identity: &ParsedPkcs12) -> io::Result> { + pub fn start_ssl(mut self, mut builder: SslAcceptorBuilder) -> io::Result> + { if self.sockets.is_empty() { Err(io::Error::new(io::ErrorKind::Other, "No socket addresses are bound")) } else { + // alpn support + builder.set_alpn_protos(b"\x02h2\x08http/1.1")?; + builder.set_alpn_select_callback(|_, protos| { + const H2: &[u8] = b"\x02h2"; + if protos.windows(3).any(|window| window == H2) { + Ok(b"h2") + } else { + Err(AlpnError::NOACK) + } + }); + + let acceptor = builder.build(); let addrs: Vec<(net::SocketAddr, net::TcpListener)> = self.sockets.drain().collect(); let settings = ServerSettings::new(Some(addrs[0].0), &self.host, false); - let acceptor = match SslAcceptorBuilder::mozilla_intermediate( - SslMethod::tls(), &identity.pkey, &identity.cert, &identity.chain) - { - Ok(mut builder) => { - match builder.set_alpn_protocols(&[b"h2", b"http/1.1"]) { - Ok(_) => builder.build(), - Err(err) => return Err(io::Error::new(io::ErrorKind::Other, err)), - } - }, - Err(err) => return Err(io::Error::new(io::ErrorKind::Other, err)) - }; let workers = self.start_workers(&settings, &StreamHandlerType::Alpn(acceptor)); // start acceptors threads