Create a server TLS configuration This abstracts the complex rustls ServerConfig building logic, matching SSL_CTX initialization for server sockets.
(options: ServerConfigOptions)
| 680 | /// This abstracts the complex rustls ServerConfig building logic, |
| 681 | /// matching SSL_CTX initialization for server sockets. |
| 682 | pub(super) fn create_server_config(options: ServerConfigOptions) -> Result<ServerConfig, String> { |
| 683 | use rustls::server::WebPkiClientVerifier; |
| 684 | |
| 685 | // Ensure default CryptoProvider is installed |
| 686 | ensure_default_provider(); |
| 687 | |
| 688 | // Create custom crypto provider using helper function |
| 689 | let custom_provider = create_custom_crypto_provider( |
| 690 | options.protocol_settings.cipher_suites.clone(), |
| 691 | options.protocol_settings.kx_groups.clone(), |
| 692 | ); |
| 693 | |
| 694 | // Step 1: Build the appropriate client cert verifier based on settings |
| 695 | let client_cert_verifier: Option<Arc<dyn rustls::server::danger::ClientCertVerifier>> = |
| 696 | if let Some(root_store) = options.root_store { |
| 697 | if options.request_client_cert { |
| 698 | // Client certificate verification required |
| 699 | let base_verifier = WebPkiClientVerifier::builder(Arc::new(root_store)) |
| 700 | .build() |
| 701 | .map_err(|e| format!("Failed to create client verifier: {e}"))?; |
| 702 | |
| 703 | if options.use_deferred_validation { |
| 704 | // TLS 1.3: Use deferred validation |
| 705 | if let Some(deferred_error) = options.deferred_cert_error { |
| 706 | use crate::ssl::cert::DeferredClientCertVerifier; |
| 707 | let deferred_verifier = |
| 708 | DeferredClientCertVerifier::new(base_verifier, deferred_error); |
| 709 | Some(Arc::new(deferred_verifier)) |
| 710 | } else { |
| 711 | // No deferred error storage provided, use immediate validation |
| 712 | Some(base_verifier) |
| 713 | } |
| 714 | } else { |
| 715 | // TLS 1.2 or non-deferred: Use immediate validation |
| 716 | Some(base_verifier) |
| 717 | } |
| 718 | } else { |
| 719 | // No client authentication |
| 720 | None |
| 721 | } |
| 722 | } else { |
| 723 | // No root store - no client authentication |
| 724 | None |
| 725 | }; |
| 726 | |
| 727 | // Step 2: Create ServerConfig builder once with the selected verifier |
| 728 | let builder = ServerConfig::builder_with_provider(custom_provider.clone()) |
| 729 | .with_protocol_versions(options.protocol_settings.versions) |
| 730 | .map_err(|e| format!("Failed to create server config builder: {e}"))?; |
| 731 | |
| 732 | let builder = if let Some(verifier) = client_cert_verifier { |
| 733 | builder.with_client_cert_verifier(verifier) |
| 734 | } else { |
| 735 | builder.with_no_client_auth() |
| 736 | }; |
| 737 | |
| 738 | // Add certificate |
| 739 | let mut config = if let Some(resolver) = options.cert_resolver { |
no test coverage detected