Initialize server-side TLS connection with configuration This method handles all server-side setup including: - Certificate and key validation - Client authentication configuration - SNI (Server Name Indication) setup - ALPN protocol negotiation - Session resumption configuration Returns the configured ServerConnection.
(
&self,
conn_guard: &mut Option<TlsConnection>,
vm: &VirtualMachine,
)
| 3124 | /// |
| 3125 | /// Returns the configured ServerConnection. |
| 3126 | fn initialize_server_connection( |
| 3127 | &self, |
| 3128 | conn_guard: &mut Option<TlsConnection>, |
| 3129 | vm: &VirtualMachine, |
| 3130 | ) -> PyResult<()> { |
| 3131 | let ctx = self.context.read(); |
| 3132 | let cert_keys = ctx.cert_keys.read(); |
| 3133 | |
| 3134 | if cert_keys.is_empty() { |
| 3135 | return Err(vm.new_value_error( |
| 3136 | "Server-side connection requires certificate and key (use load_cert_chain)", |
| 3137 | )); |
| 3138 | } |
| 3139 | |
| 3140 | // Clone cert_keys for use in config |
| 3141 | // PrivateKeyDer doesn't implement Clone, use clone_key() |
| 3142 | let cert_keys_clone: Vec<CertKeyPair> = cert_keys |
| 3143 | .iter() |
| 3144 | .map(|(ck, pk)| (ck.clone(), pk.clone_key())) |
| 3145 | .collect(); |
| 3146 | drop(cert_keys); |
| 3147 | |
| 3148 | // Prepare common protocol settings (TLS versions, ECDH curve, cipher suites, ALPN) |
| 3149 | let protocol_settings = self.prepare_protocol_settings(vm)?; |
| 3150 | let min_ver = *ctx.minimum_version.read(); |
| 3151 | |
| 3152 | // Check if client certificate verification is required |
| 3153 | let verify_mode = *ctx.verify_mode.read(); |
| 3154 | let root_store = ctx.root_certs.read(); |
| 3155 | let pha_enabled = *ctx.post_handshake_auth.read(); |
| 3156 | |
| 3157 | // Check if TLS 1.3 is being used |
| 3158 | let is_tls13 = min_ver >= PROTO_TLSv1_3; |
| 3159 | |
| 3160 | // For TLS 1.3: always use deferred validation for client certificates |
| 3161 | // For TLS 1.2: use immediate validation during handshake |
| 3162 | let use_deferred_validation = is_tls13 |
| 3163 | && !pha_enabled |
| 3164 | && (verify_mode == CERT_REQUIRED || verify_mode == CERT_OPTIONAL); |
| 3165 | |
| 3166 | // For TLS 1.3 + PHA: if PHA is enabled, don't request cert in initial handshake |
| 3167 | // The certificate will be requested later via verify_client_post_handshake() |
| 3168 | let request_initial_cert = if pha_enabled { |
| 3169 | // PHA enabled: don't request cert initially (will use PHA later) |
| 3170 | false |
| 3171 | } else if verify_mode == CERT_REQUIRED || verify_mode == CERT_OPTIONAL { |
| 3172 | // PHA not enabled or TLS 1.2: request cert in initial handshake |
| 3173 | true |
| 3174 | } else { |
| 3175 | // CERT_NONE |
| 3176 | false |
| 3177 | }; |
| 3178 | |
| 3179 | // Check if SNI callback is set |
| 3180 | let sni_callback = ctx.sni_callback.read().clone(); |
| 3181 | let use_sni_resolver = sni_callback.is_some(); |
| 3182 | |
| 3183 | // Create SNI state if needed (to be stored in PySSLSocket later) |
no test coverage detected