Struct rustls::server::server_conn::ServerConfig

source ·
pub struct ServerConfig {
Show 14 fields pub(super) cipher_suites: Vec<SupportedCipherSuite>, pub(super) kx_groups: Vec<&'static SupportedKxGroup>, pub ignore_client_order: bool, pub max_fragment_size: Option<usize>, pub session_storage: Arc<dyn StoresServerSessions + Send + Sync>, pub ticketer: Arc<dyn ProducesTickets>, pub cert_resolver: Arc<dyn ResolvesServerCert>, pub alpn_protocols: Vec<Vec<u8>>, pub(super) versions: EnabledVersions, pub(super) verifier: Arc<dyn ClientCertVerifier>, pub key_log: Arc<dyn KeyLog>, pub max_early_data_size: u32, pub send_half_rtt_data: bool, pub send_tls13_tickets: usize,
}
Expand description

Common configuration for a set of server sessions.

Making one of these is cheap, though one of the inputs may be expensive: gathering trust roots from the operating system to add to the RootCertStore passed to a ClientCertVerifier builder may take on the order of a few hundred milliseconds.

These must be created via the ServerConfig::builder() function.

§Defaults

Fields§

§cipher_suites: Vec<SupportedCipherSuite>

List of ciphersuites, in preference order.

§kx_groups: Vec<&'static SupportedKxGroup>

List of supported key exchange groups.

The first is the highest priority: they will be offered to the client in this order.

§ignore_client_order: bool

Ignore the client’s ciphersuite order. Instead, choose the top ciphersuite in the server list which is supported by the client.

§max_fragment_size: Option<usize>

The maximum size of TLS message we’ll emit. If None, we don’t limit TLS message lengths except to the 2**16 limit specified in the standard.

rustls enforces an arbitrary minimum of 32 bytes for this field. Out of range values are reported as errors from ServerConnection::new.

Setting this value to the TCP MSS may improve latency for stream-y workloads.

§session_storage: Arc<dyn StoresServerSessions + Send + Sync>

How to store client sessions.

§ticketer: Arc<dyn ProducesTickets>

How to produce tickets.

§cert_resolver: Arc<dyn ResolvesServerCert>

How to choose a server cert and key.

§alpn_protocols: Vec<Vec<u8>>

Protocol names we support, most preferred first. If empty we don’t do ALPN at all.

§versions: EnabledVersions

Supported protocol versions, in no particular order. The default is all supported versions.

§verifier: Arc<dyn ClientCertVerifier>

How to verify client certificates.

§key_log: Arc<dyn KeyLog>

How to output key material for debugging. The default does nothing.

§max_early_data_size: u32

Amount of early data to accept for sessions created by this config. Specify 0 to disable early data. The default is 0.

Read the early data via ServerConnection::early_data.

The units for this are both plaintext bytes, and ciphertext bytes, depending on whether the server accepts a client’s early_data or not. It is therefore recommended to include some slop in this value to account for the unknown amount of ciphertext expansion in the latter case.

§send_half_rtt_data: bool

Whether the server should send “0.5RTT” data. This means the server sends data after its first flight of handshake messages, without waiting for the client to complete the handshake.

This can improve TTFB latency for either server-speaks-first protocols, or client-speaks-first protocols when paired with “0RTT” data. This comes at the cost of a subtle weakening of the normal handshake integrity guarantees that TLS provides. Note that the initial ClientHello is indirectly authenticated because it is included in the transcript used to derive the keys used to encrypt the data.

This only applies to TLS1.3 connections. TLS1.2 connections cannot do this optimisation and this setting is ignored for them. It is also ignored for TLS1.3 connections that even attempt client authentication.

This defaults to false. This means the first application data sent by the server comes after receiving and validating the client’s handshake up to the Finished message. This is the safest option.

§send_tls13_tickets: usize

How many TLS1.3 tickets to send immediately after a successful handshake.

Because TLS1.3 tickets are single-use, this allows a client to perform multiple resumptions.

The default is 4.

If this is 0, no tickets are sent and clients will not be able to do any resumption.

Implementations§

source§

impl ServerConfig

source

pub fn builder() -> ConfigBuilder<Self, WantsCipherSuites>

Create builder to build up the server configuration.

For more information, see the ConfigBuilder documentation.

source

pub(crate) fn supports_version(&self, v: ProtocolVersion) -> bool

We support a given TLS version if it’s quoted in the configured versions and at least one ciphersuite for this version is also configured.

Trait Implementations§

source§

impl Clone for ServerConfig

source§

fn clone(&self) -> ServerConfig

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for ServerConfig

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
source§

impl ConfigSide for ServerConfig

source§

impl Sealed for ServerConfig

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> CloneToUninit for T
where T: Clone,

source§

unsafe fn clone_to_uninit(&self, dst: *mut T)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dst. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> ToOwned for T
where T: Clone,

source§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

source§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.