feat(tls): extends ServerTlsConfig for optional KeyLogFile #893
Conversation
| } | ||
|
|
||
| /// Per session TLS secrets will be written to a file given by the SSLKEYLOGFILE environment variable. | ||
| pub fn install_key_log_file(self, install_key_log_file: bool) -> Self { |
There was a problem hiding this comment.
Is this something that is dangerous and we'd want to put behind a dangerous feature flag?
|
Why only support a single implementation of Or better yet, what about supporting providing an arbitrary |
|
Yeah I wonder if we should just copy the rustls struct and slap a non_exhaustive on it? |
|
@LucioFranco note that you can't actually build a |
|
@olix0r by take you mean expose it publicly in tonic? |
|
@LucioFranco probably? I'm not sure if it's worth providing a simplified abstraction over TLS configuration, given the finicky nature of TLS, unless the goal is to support multiple TLS implementations... |
|
@olix0r only reason I bring it up is we used to expose it but ended up removing it because we would be forced to release a new version of tonic for new versions of rustls which didn't seem ideal. I wonder if there is a better way forward by extracting the tls part to its own crate similar to what hyper does. There is a lot of overlap here since axum will also need to solve this. cc @davidpdrsn |
|
@LucioFranco another option might be to expose tonic-specific Acceptor/Connector traits with implementations for |
|
Yeah that is what I am leaning towards. Though I think there are some complications with acceptors that I outlined in this hyper issue. hyperium/hyper#2321 |
|
@LucioFranco the other benefit of that approach is that it could let us support multiple TLS implementations in an |
|
Yeah, I think that is the right solution....will be some work but probably worth it. Over actually moving over to axum. |
|
obsoleted by #968 |
Motivation
Tonic no longer allows setting Rustls config directly.
Solution
This PR starts off down the road adding piecemeal configurability into the Tonic TLS config to aim for Rustls config parity from Tonic once more. In this instance a setting to install KeyLogFile, reinstating the possibility of Wireshark TLS decryption.