rustls/manual/howto.rs
1/*! # Customising private key usage
2
3By default rustls supports PKCS#8-format[^1] RSA or ECDSA keys, plus PKCS#1-format RSA keys.
4
5However, if your private key resides in a HSM, or in another process, or perhaps
6another machine, rustls has some extension points to support this:
7
8The main trait you must implement is [`sign::SigningKey`][signing_key]. The primary method here
9is [`choose_scheme()`][choose_scheme] where you are given a set of [`SignatureScheme`s][sig_scheme] the client says
10it supports: you must choose one (or return `None` -- this aborts the handshake). Having
11done that, you return an implementation of the [`sign::Signer`][signer] trait.
12The [`sign()`][sign_method] performs the signature and returns it.
13
14(Unfortunately this is currently designed for keys with low latency access, like in a
15PKCS#11 provider, Microsoft CryptoAPI, etc. so is blocking rather than asynchronous.
16It's a TODO to make these and other extension points async.)
17
18Once you have these two pieces, configuring a server to use them involves, briefly:
19
20- packaging your [`sign::SigningKey`][signing_key] with the matching certificate chain into a [`sign::CertifiedKey`][certified_key]
21- making a [`ResolvesServerCertUsingSni`][cert_using_sni] and feeding in your [`sign::CertifiedKey`][certified_key] for all SNI hostnames you want to use it for,
22- setting that as your `ServerConfig`'s [`cert_resolver`][cert_resolver]
23
24For a complete example of implementing a custom [`sign::SigningKey`][signing_key] and
25[`sign::Signer`][signer] see the [`signer` module in the `rustls-cng` crate][rustls-cng-signer].
26
27[signing_key]: crate::crypto::signer::SigningKey
28[choose_scheme]: crate::crypto::signer::SigningKey::choose_scheme
29[sig_scheme]: crate::SignatureScheme
30[signer]: crate::crypto::signer::Signer
31[sign_method]: crate::crypto::signer::Signer::sign
32[certified_key]: crate::crypto::signer::CertifiedKey
33[cert_using_sni]: crate::server::ResolvesServerCertUsingSni
34[cert_resolver]: crate::ServerConfig::cert_resolver
35[rustls-cng-signer]: https://github.com/rustls/rustls-cng/blob/dev/src/signer.rs
36
37[^1]: For PKCS#8 it does not support password encryption -- there's not a meaningful threat
38 model addressed by this, and the encryption supported is typically extremely poor.
39
40# Unexpected EOF
41
42TLS has a `close_notify` mechanism to prevent truncation attacks[^2].
43According to the TLS RFCs, each party is required to send a `close_notify` message before
44closing the write side of the connection. However, some implementations don't send it.
45So long as the application layer protocol (for instance HTTP/2) has message length framing
46and can reject truncated messages, this is not a security problem.
47
48Rustls treats an EOF without `close_notify` as an error of type `std::io::Error` with
49`ErrorKind::UnexpectedEof`. In some situations it's appropriate for the application to handle
50this error the same way it would handle a normal EOF (a read returning `Ok(0)`). In particular
51if `UnexpectedEof` occurs on an idle connection it is appropriate to treat it the same way as a
52clean shutdown. And if an application always uses messages with length framing (in other words,
53messages are never delimited by the close of the TCP connection), it can unconditionally
54ignore `UnexpectedEof` errors from rustls.
55
56[^2]: <https://datatracker.ietf.org/doc/html/rfc8446#section-6.1>
57
58# Debugging
59
60If you encounter a bug with Rustls it can be helpful to collect up as much diagnostic
61information as possible.
62
63## Collecting logs
64
65If your bug reproduces with one of the [Rustls examples] you can use the
66[`RUST_LOG`] environment variable to increase the log verbosity. If you're using
67your own application, you may need to configure it with a logging backend
68like `env_logger`.
69
70Consider reproducing your bug with `RUST_LOG=rustls=trace` and sharing the result
71in a [GitHub gist].
72
73[Rustls examples]: https://github.com/rustls/rustls/tree/main/examples
74[`RUST_LOG`]: https://docs.rs/env_logger/latest/env_logger/#enabling-logging
75[`env_logger`]: https://docs.rs/env_logger/
76[GitHub gist]: https://docs.github.com/en/get-started/writing-on-github/editing-and-sharing-content-with-gists/creating-gists
77
78## Taking a packet capture
79
80When logs aren't enough taking a packet capture ("pcap") is another helpful tool.
81The details of how to accomplish this vary by operating system/context.
82
83### tcpdump
84
85As one example, on Linux using [`tcpdump`] is often easiest.
86
87If you know the IP address of the remote server your bug demonstrates with you
88could take a short packet capture with this command (after replacing
89`XX.XX.XX.XX` with the correct IP address):
90
91```bash
92sudo tcpdump -i any tcp and dst host XX.XX.XX.XX -C5 -w rustls.pcap
93```
94
95The `-i any` captures on any network interface. The `tcp and dst host XX.XX.XX.XX`
96portion target the capture to TCP traffic to the specified IP address. The `-C5`
97argument limits the capture to at most 5MB. Lastly the `-w` argument writes the
98capture to `rustls.pcap`.
99
100Another approach is to use `tcp and port XXXX` instead of `tcp and dst host XX.XX.XX.XX`
101to capture all traffic to a specific port instead of a specific host server.
102
103[`tcpdump`]: https://www.redhat.com/en/blog/introduction-using-tcpdump-linux-command-line
104
105### SSLKEYLOGFILE
106
107If the bug you are reporting happens after data is encrypted you may also wish to
108share the secret keys required to decrypt the post-handshake traffic.
109
110If you're using one of the [Rustls examples] you can set the `SSLKEYLOGFILE` environment
111variable to a path where secrets will be written. E.g. `SSLKEYLOGFILE=rustls.pcap.keys`.
112
113If you're using your own application you may need to customize the Rustls `ClientConfig`
114or `ServerConfig`'s `key_log` setting like the example applications do.
115
116With the file from `SSLKEYLOGFILE` it is possible to use [Wireshark] or another tool to
117decrypt the post-handshake messages, following [these instructions][curl-sslkeylogfile].
118
119Remember this allows plaintext decryption and should only be done in testing contexts
120where no sensitive data (API keys, etc) are being shared.
121
122[Wireshark]: https://www.wireshark.org/download.html
123[curl-sslkeylogfile]: https://everything.curl.dev/usingcurl/tls/sslkeylogfile.html
124*/