Skip to content

feat(transport): TCP-TLS#94

Merged
mempirate merged 6 commits intomainfrom
lore/feat/mtls
Nov 17, 2025
Merged

feat(transport): TCP-TLS#94
mempirate merged 6 commits intomainfrom
lore/feat/mtls

Conversation

@thedevbirb
Copy link
Contributor

@thedevbirb thedevbirb commented Nov 14, 2025

Closes #92.

The code is unaware whether mTLS is enabled or not, that is configured in the TLS Acceptors/Connectors provided.

@thedevbirb
Copy link
Contributor Author

thedevbirb commented Nov 14, 2025

I'd like to add an example in the examples folder, but that would be a complete duplicate of the explanatory integration test provided. Any suggestion?

mempirate
mempirate reviewed Nov 17, 2025
View reviewed changes
msg-socket/tests/it/reqrep.rs
Comment on lines +120 to +122
acceptor_builder.set_verify(
openssl::ssl::SslVerifyMode::PEER | openssl::ssl::SslVerifyMode::FAIL_IF_NO_PEER_CERT,
);
Copy link
Contributor

@mempirate mempirate Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to offer this stuff as some easy to set up options on the server and the client in a follow-up, like tcp_tls::config::Server::default().enable_mtls() etc etc

mempirate
mempirate reviewed Nov 17, 2025
View reviewed changes
Karrq
Karrq reviewed Nov 17, 2025
View reviewed changes
Copy link
Contributor

@Karrq Karrq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cant say much about the overall functionality in the scope of the lib yet, but left some “style” comments

msg-socket/tests/it/reqrep.rs
let mut acceptor_builder = helpers::default_acceptor_builder();
// By specifying peer verification mode, we essentially toggle mTLS.
acceptor_builder.set_verify(
openssl::ssl::SslVerifyMode::PEER | openssl::ssl::SslVerifyMode::FAIL_IF_NO_PEER_CERT,
Copy link
Contributor

@Karrq Karrq Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For abstracting between tls backends we might want to expose a method to enable mtls, and have it manage how that’s done in openssl and rustls

@Karrq
Copy link
Contributor

Karrq commented Nov 17, 2025
edited
Loading

IIRC rust docs include links to examples (and doc tests) if it finds the usage in the example code, so it can double as an example and also doc test

mempirate
mempirate approved these changes Nov 17, 2025
View reviewed changes
Copy link
Contributor

@mempirate mempirate left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This works as a first iteration. What would be nice to add later:

  • Easily configurable servers and clients for dangerous authentication (skipping server cert verification), client authentication. Basically stuff that wraps SslAcceptor and SslConnector configuration
  • #97

Also, I think we could feature-gate TLS as well since building it requires openssl installed. Could be enabled by default.

@mempirate
Copy link
Contributor

mempirate commented Nov 17, 2025

Also, I don't mind copied code if it can serve as an example @thedevbirb

@thedevbirb thedevbirb mentioned this pull request Nov 17, 2025
Open
@thedevbirb thedevbirb force-pushed the lore/feat/mtls branch 2 times, most recently from 9a9d063 to e71c543 Compare November 17, 2025 11:42
@mempirate mempirate mentioned this pull request Nov 17, 2025
Open
@mempirate mempirate merged commit 3e280aa into main Nov 17, 2025
9 checks passed
@mempirate mempirate deleted the lore/feat/mtls branch November 17, 2025 12:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Karrq Karrq Karrq left review comments

@mempirate mempirate mempirate approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(transport): TLS/mTLS support over TCP

3 participants

@thedevbirb @Karrq @mempirate