Skip to content

Refactor TLS API#388

Draft
sagebind wants to merge 15 commits intomasterfrom
tls-api-refactor
Draft

Refactor TLS API#388
sagebind wants to merge 15 commits intomasterfrom
tls-api-refactor

Conversation

@sagebind
Copy link
Copy Markdown
Owner

@sagebind sagebind commented Apr 21, 2022

Refactor the API for SSL/TLS configuration. This accounts for the fact that the TLS engine can vary (as rustls is now an option) and corrects some confusing parts of the API that don't always make sense.

@sagebind
Refactor TLS API
9ea8ffb 
Refactor the API for SSL/TLS configuration. This accounts for the fact that the TLS engine can vary (as rustls is now an option) and corrects some confusing parts of the API that don't always make sense.
@sagebind sagebind added this to the 2.0.0 milestone Apr 28, 2022
@codecov
Copy link
Copy Markdown

codecov bot commented Jul 16, 2022
edited
Loading

Codecov Report

Base: 52.99% // Head: 52.42% // Decreases project coverage by -0.56% ⚠️

Coverage data is based on head (c39f6f8) compared to base (096aff7).
Patch coverage: 28.15% of modified lines in pull request are covered.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #388      +/-   ##
==========================================
- Coverage   52.99%   52.42%   -0.57%     
==========================================
  Files          56       59       +3     
  Lines        5831     5951     +120     
==========================================
+ Hits         3090     3120      +30     
- Misses       2741     2831      +90
Impacted Files Coverage Δ
src/auth.rs 76.66% <0.00%> (ø)
src/config/proxy.rs 100.00% <ø> (ø)
src/error.rs 44.68% <0.00%> (+0.18%) ⬆️
tests/tls.rs 0.00% <0.00%> (ø)
src/tls/identity.rs 11.53% <11.53%> (ø)
src/tls/roots.rs 22.53% <22.53%> (ø)
src/tls/mod.rs 35.92% <35.92%> (ø)
src/config/mod.rs 69.33% <45.45%> (-4.50%) ⬇️
src/config/request.rs 71.05% <50.00%> (-2.56%) ⬇️
src/lib.rs 17.83% <50.00%> (+0.45%) ⬆️
... and 8 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

Xuanwo
Xuanwo reviewed Aug 19, 2022
View reviewed changes
Comment thread src/config/mod.rs
/// ))
/// let response = Request::get("https://badssl.com")
/// .tls_config(TlsConfig::builder()
/// .danger_accept_invalid_certs(true)
Copy link
Copy Markdown

@Xuanwo Xuanwo Aug 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm thinking about adding enable alike API:

.danger_accept_invalid_certs()

Or add API like accept_invalid_certs() but under inside feature insecure_tls?

Comment thread src/tls/mod.rs

// If an empty list is provided, reset to default. Otherwise build up a
// string in curl format containing the cipher names.
if let Some(first) = iter.next() {
Copy link
Copy Markdown

@Xuanwo Xuanwo Aug 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the different with ciphers.into_iter().join(":")?

Copy link
Copy Markdown
Owner Author

@sagebind sagebind Aug 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When an empty list is provided, we're simply not setting any ciphers, and allowing the TLS engine to choose whichever ciphers they think is best. If we actually set it to an empty list though, some TLS engines will interpret this as, "No ciphers are allowed" and basically reject all connections.

Copy link
Copy Markdown

@Xuanwo Xuanwo Aug 20, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about:

self.ciphers = Some(ciphers.into_iter().join(":")).filter(|v|!v.is_empty());

Looks nicer to me.

Comment thread src/tls/mod.rs Outdated
Comment on lines +260 to +262
/// Disables all server certificate validation.
///
/// By default this is enabled.
Copy link
Copy Markdown

@Xuanwo Xuanwo Aug 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confusing docs.

Copy link
Copy Markdown

@Xuanwo Xuanwo Aug 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To my understanding: This functions is used to enable invalid certs. And it's disabled by default.

Comment thread src/tls/mod.rs
Comment thread src/tls/roots.rs

#[derive(Clone, Debug)]
enum StoreImpl {
NoOp,
Copy link
Copy Markdown

@Xuanwo Xuanwo Aug 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need docs for the difference between NoOp and Unset.

Comment thread tests/tls.rs
#[test]
#[cfg_attr(not(feature = "online-tests"), ignore)]
fn accept_expired_cert() {
Request::get("https://expired.badssl.com")
Copy link
Copy Markdown

@Xuanwo Xuanwo Aug 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, nice. It's the first time for me to know this website. Lessons learnt.

bytedream
bytedream suggested changes Nov 4, 2022
View reviewed changes
Comment thread src/config/request.rs Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@Xuanwo Xuanwo Xuanwo left review comments

@bytedream bytedream bytedream requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@sagebind @Xuanwo @bytedream