TSL support #584
Merged
TSL support #584
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…m server with timeouts Two levels of wrappers for the Axum server: Custom (with timeouts) -> axum-server -> axum
Closed
- Use axum-server isntead of directly the axum crate (like in the tracker). - Add wrapper to axum-server to enable timeouts.
…oml file
```toml
[net]
port = 3001
[net.tsl]
ssl_cert_path = "./storage/index/lib/tls/localhost.crt"
ssl_key_path = "./storage/index/lib/tls/localhost.key"
```
```json
{
"net": {
"port": 3001,
"tsl": {
"ssl_cert_path": "./storage/index/lib/tls/localhost.crt",
"ssl_key_path": "./storage/index/lib/tls/localhost.key"
}
}
}
```
The TSL configuration is optional, but if you have that table (dict), it must contain the fields. This is an invalid configuration:
```
[net.tsl]
ssl_cert_path = ""
ssl_key_path = ""
```
See torrust/torrust-tracker#853.
You can provide a certificate and certificate key files to run the API with HTTPs.
Member
Author
|
I can run the API with a self-signed certificate as described in:
However, I can't load any page. With * Trying 127.0.0.1:3001...
* Connected to localhost (127.0.0.1) port 3001 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numberWith Firefox:
I've tried with these files:
Generated with: And also with certificates from https://github.com/programatik29/axum-server/tree/master/examples/self-signed-certs:
This is an example from axum-server: I think I'm doing the same. @da2ce7 any idea? |
Member
Author
|
I made it work by commenting on the TimeoutAcceptor. It's a custom acceptor that introduces timeouts for the first client request after opening the HTTP connection. match tls {
Some(tls) => custom_axum::from_tcp_rustls_with_timeouts(socket, tls)
.handle(handle)
//.acceptor(TimeoutAcceptor)
.serve(router.into_make_service_with_connect_info::<std::net::SocketAddr>())
.await
.expect("API server should be running"),
None => custom_axum::from_tcp_with_timeouts(socket)
.handle(handle)
.acceptor(TimeoutAcceptor)
.serve(router.into_make_service_with_connect_info::<std::net::SocketAddr>())
.await
.expect("API server should be running"),
};I added this TimeAcceptor to the Tracker, but I did not check that the TSL worked fine. I have to open an issue there to check it. I will probably not work. I'm going to remove that |
Member
Author
|
ACK 5d9e068 |
This was referenced May 16, 2024
TSL does work with the TimeoutAccetor. How to enabled TSL for development with: ``` [net] port = 3001 [net.tsl] ssl_cert_path = "./storage/index/lib/tls/localhost.crt" ssl_key_path = "./storage/index/lib/tls/localhost.key" ``` You can fin the certificates in `./share/tsl`. This means there is no timeout for the first client request when you use TSL. The way to test tiemouts is: 1. Open a connection using telnet: `telnet 127.0.0.1 3001` 2. Wait 5 seconds. The connection should be closed after 5 seconds. That's what the TimeoutAcceptor does. Without the TimeoutAcceptor the connection will remain open until the client closes it.
josecelano
force-pushed
the
426-tls-support
branch
from
5d9e068 to
1afe234
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TSL support. Allow using HTTPs providing the cert and cert key.
TOML
JSON
{ "net": { "port": 3001, "tsl": { "ssl_cert_path": "./storage/index/lib/tls/localhost.crt", "ssl_key_path": "./storage/index/lib/tls/localhost.key" } } }The TSL configuration is optional, but if you have that toml table (
[net.tsl]), it must contain the fields. This is an invalid configuration:See torrust/torrust-tracker#853.
Subtasks