tokio-rs/tokio-tls

Programmatic control over certificate validation

izolyomi opened this issue · 4 comments

I'm trying to use tokio-tls in a non-HTTP scenario with self-signed certificates building a peer to peer connection. All I want is essentially a Diffie-Hellman key exchange and an encrypted channel. During the handshake I'd like to avoid the usual PKI trust chain and let peers decide programatically if they trust the certificate of the other party.

To achieve this, the usual way is to provide a hook for a callback function where certificate of the peer can be validated. In Java you can set a custom TrustManager while initializing your SslContext. Also, crate rustls nicely supports this like here https://github.com/ctz/rustls/blob/master/examples/tlsclient.rs#L424 , but I'd like the same thing in Tokio without blocking.

I've found no way to achieve this with tokio-tls. Is this possible somehow out of the box? If not, is it hard to add to the library?

aep commented

@izolyomi did you find a way to do that?

@aep Not yet, and my recent stackoverflow post with the same question was also downvoted and closed because it didn't contain enough code for the moderator's taste. Fortunately I had more urgent things on my plate. Please let me know if you've found a way already.

I really admire the amazing work of @alexcrichton and others who created Future/TokIO. It takes some learning curve to grab its essence first but it was very usable even as 0.1. I feel it lacking only at these rough edges where the only choice is usually to understand the whole thing up to the last screw and do it yourself.

Silur commented

On non-windows platforms, this library use OpenSSL which has SSL_CTX_set_verify that provides the certificate and uses a callback function for manual verification. An example for this is libcurl's ssluse.c
Would be nice to utilize this method in tokio-tls.

This repository is deprecated. If this is still an issue, I would recommend re-opening it on https://github.com/tokio-rs/tokio.