Default TLS server builder has no with_cert_resolver
Opened this issue · 3 comments
Problem:
s2n_quic::provider::tls::default::server::Builder
does not have an equivalent of .with_cert_resolver
on the rustls counterpart.
In #2173 (comment):
the best way to have a stable interface to integrate with is to use the TLS provider builders (client and server) that wrap the rustls implementation, rather than the re-exported rustls. If there are configuration options you need that are not provided in these builders, please open an issue and we will be happy to consider adding the functionality.
Solution:
IDK...
Requirements / Acceptance Criteria:
I used the rustls builder to support dynamically updating a rotated certificate, and to choose different certificates based on SNI server name in client hello messages. The current with_cert_resolver
is a callback-style API; I'm okay with keeping this style, or we can also introduce a "certificate store" that can be updated and able to contain multiple certificates associated to different domain names. My use case currently does not involve wildcard certificates so a hashmap is enough, but maybe others would need more complex logic.
@XeCycle We are currently discussing how best we can provide rustls support going forward. Thanks you for your patience and sorry for the inconvenience.
Similarly, it would be nice to have access to dangerous
style things like Rustls exposes, namely custom certificate verifiers. We would like this to support behavior similar to curl -k
.
We'll add some documentation on how to work with Rustls in s2n-quic