Improve TLS support

- Use builder pattern
- Support TLS on Mac/iOS/Windows as well as on Linux with OpenSSL
- Support not pinning the server certificate

Signed-off-by: Richard Whitehouse <richard.whitehouse@metaswitch.com>

Author: richardwhiuk

CHANGELOG.md

@@ -8,8 +8,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
 
 ### Changed
-- Use hyper-openssl rather than hyper-tls
-- `https_connector` renamed `https_pinned_connector`
+- Use hyper-openssl on Linux, instead of hyper-tls
+- Use a builder pattern to created client connectors
+- Allow HTTPS connectors to be built which don't pin the server CA certificate
+- Allow HTTPS to work on Mac/Windows/iOS
+- Enforce that HTTPS is used if we are using a HTTPS connector.
 - Return Results, rather than unwrapping errors on client creation
 - openssl 0.10
 

Cargo.toml

@@ -32,4 +32,8 @@ chrono = "0.4.6"
 
 [target.'cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))'.dependencies]
 hyper-openssl = "0.7.1"
-openssl = "0.10.14"
+openssl = "0.10.28"
+
+[target.'cfg(any(target_os = "macos", target_os = "windows", target_os = "ios"))'.dependencies]
+hyper-tls = "0.4.1"
+native-tls = "0.2"

src/connector.rs

@@ -1,70 +1,144 @@
 //! Utility methods for instantiating common connectors for clients.
-use std::path::Path;
+#[cfg(any(target_os = "macos", target_os = "windows", target_os = "ios"))]
+use std::convert::From as _;
+#[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
+use std::path::{Path, PathBuf};
 
 use hyper;
 
-/// Returns a function which creates an http-connector. Used for instantiating
-/// clients with custom connectors
-pub fn http_connector() -> hyper::client::HttpConnector {
-    hyper::client::HttpConnector::new(4)
+/// HTTP Connector construction
+#[derive(Debug)]
+pub struct Connector;
+
+impl Connector {
+    /// Alows building a HTTP(S) connector. Used for instantiating clients with custom
+    /// connectors.
+    pub fn builder() -> Builder {
+        Builder { dns_threads: 4 }
+    }
 }
 
-/// Returns a function which creates an https-connector which is pinned to a specific
-/// CA certificate
-///
-/// # Arguments
-///
-/// * `ca_certificate` - Path to CA certificate used to authenticate the server
-#[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
-pub fn https_pinned_connector<CA>(
-    ca_certificate: CA,
-) -> Result<hyper_openssl::HttpsConnector<hyper::client::HttpConnector>, openssl::error::ErrorStack>
-where
-    CA: AsRef<Path>,
-{
-    // SSL implementation
-    let mut ssl = openssl::ssl::SslConnector::builder(openssl::ssl::SslMethod::tls())?;
+/// Builder for HTTP(S) connectors
+#[derive(Debug)]
+pub struct Builder {
+    dns_threads: usize,
+}
 
-    let ca_certificate = ca_certificate.as_ref().to_owned();
+impl Builder {
+    /// Configure the number of threads. Default is 4.
+    pub fn dns_threads(mut self, threads: usize) -> Self {
+        self.dns_threads = threads;
+        self
+    }
 
-    // Server authentication
-    ssl.set_ca_file(ca_certificate)?;
+    /// Use HTTPS instead of HTTP
+    pub fn https(self) -> HttpsBuilder {
+        HttpsBuilder {
+            dns_threads: self.dns_threads,
+            #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
+            server_cert: None,
+            #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
+            client_cert: None,
+        }
+    }
 
-    let mut connector = hyper::client::HttpConnector::new(4);
-    connector.enforce_http(false);
+    /// Build a HTTP connector
+    pub fn build(self) -> hyper::client::HttpConnector {
+        hyper::client::HttpConnector::new(self.dns_threads)
+    }
+}
 
-    hyper_openssl::HttpsConnector::<hyper::client::HttpConnector>::with_connector(connector, ssl)
+/// Builder for HTTPS connectors
+#[derive(Debug)]
+pub struct HttpsBuilder {
+    dns_threads: usize,
+    #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
+    server_cert: Option<PathBuf>,
+    #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
+    client_cert: Option<(PathBuf, PathBuf)>,
 }
 
-/// Returns a function which creates https-connectors for mutually authenticated connections.
-/// # Arguments
-///
-/// * `ca_certificate` - Path to CA certificate used to authenticate the server
-/// * `client_key` - Path to the client private key
-/// * `client_certificate` - Path to the client's public certificate associated with the private key
-#[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
-pub fn https_mutual_connector<CA, K, C>(
-    ca_certificate: CA,
-    client_key: K,
-    client_certificate: C,
-) -> Result<hyper_openssl::HttpsConnector<hyper::client::HttpConnector>, openssl::error::ErrorStack>
-where
-    CA: AsRef<Path>,
-    K: AsRef<Path>,
-    C: AsRef<Path>,
-{
-    // SSL implementation
-    let mut ssl = openssl::ssl::SslConnector::builder(openssl::ssl::SslMethod::tls())?;
-
-    // Server authentication
-    ssl.set_ca_file(ca_certificate)?;
-
-    // Client authentication
-    ssl.set_private_key_file(client_key, openssl::ssl::SslFiletype::PEM)?;
-    ssl.set_certificate_chain_file(client_certificate)?;
-    ssl.check_private_key()?;
-
-    let mut connector = hyper::client::HttpConnector::new(4);
-    connector.enforce_http(false);
-    hyper_openssl::HttpsConnector::<hyper::client::HttpConnector>::with_connector(connector, ssl)
+impl HttpsBuilder {
+    /// Configure the number of threads. Default is 4.
+    pub fn dns_threads(mut self, threads: usize) -> Self {
+        self.dns_threads = threads;
+        self
+    }
+
+    /// Pin the CA certificate for the server's certificate.
+    ///
+    /// # Arguments
+    ///
+    /// * `ca_certificate` - Path to CA certificate used to authenticate the server
+    #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
+    pub fn pin_server<CA>(mut self, ca_certificate: CA) -> Self
+    where
+        CA: AsRef<Path>,
+    {
+        self.server_cert = Some(ca_certificate.as_ref().to_owned());
+        self
+    }
+
+    /// Provide the Client Certificate and Key for the connection for Mutual TLS
+    ///
+    /// # Arguments
+    ///
+    /// * `client_key` - Path to the client private key
+    /// * `client_certificate` - Path to the client's public certificate associated with the private key
+    #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
+    pub fn client<K, C>(mut self, client_key: K, client_certificate: C) -> Self
+    where
+        K: AsRef<Path>,
+        C: AsRef<Path>,
+    {
+        self.client_cert = Some((
+            client_key.as_ref().to_owned(),
+            client_certificate.as_ref().to_owned(),
+        ));
+        self
+    }
+
+    #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
+    /// Build the HTTPS connector. Will fail if the provided certificates/keys can't be loaded
+    /// or the SSL connector can't be created
+    pub fn build(
+        self,
+    ) -> Result<
+        hyper_openssl::HttpsConnector<hyper::client::HttpConnector>,
+        openssl::error::ErrorStack,
+    > {
+        // SSL implementation
+        let mut ssl = openssl::ssl::SslConnector::builder(openssl::ssl::SslMethod::tls())?;
+
+        if let Some(ca_certificate) = self.server_cert {
+            // Server authentication
+            ssl.set_ca_file(ca_certificate)?;
+        }
+
+        if let Some((client_key, client_certificate)) = self.client_cert {
+            // Client authentication
+            ssl.set_private_key_file(client_key, openssl::ssl::SslFiletype::PEM)?;
+            ssl.set_certificate_chain_file(client_certificate)?;
+            ssl.check_private_key()?;
+        }
+
+        let mut connector = hyper::client::HttpConnector::new(self.dns_threads);
+        connector.enforce_http(false);
+        hyper_openssl::HttpsConnector::<hyper::client::HttpConnector>::with_connector(
+            connector, ssl,
+        )
+    }
+
+    #[cfg(any(target_os = "macos", target_os = "windows", target_os = "ios"))]
+    /// Build the HTTPS connector. Will if the SSL connector can't be created.
+    pub fn build(
+        self,
+    ) -> Result<hyper_tls::HttpsConnector<hyper::client::HttpConnector>, native_tls::Error> {
+        let tls = native_tls::TlsConnector::new()?.into();
+        let mut connector = hyper::client::HttpConnector::new(self.dns_threads);
+        connector.enforce_http(false);
+        let mut connector = hyper_tls::HttpsConnector::from((connector, tls));
+        connector.https_only(true);
+        Ok(connector)
+    }
 }

src/lib.rs

@@ -25,9 +25,7 @@ pub mod client;
 
 /// Module with utilities for creating connectors with hyper.
 pub mod connector;
-pub use connector::http_connector;
-#[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
-pub use connector::{https_mutual_connector, https_pinned_connector};
+pub use connector::Connector;
 
 pub mod composites;
 pub use composites::{CompositeMakeService, CompositeService, NotFound};