server: switch from OpenSSL to Rustls
This commit is contained in:
Valentin Tolmer
committed by
nitnelave
nitnelave
parent
9e37a06514
commit
c399ff2bfa
@@ -11,7 +11,6 @@ actix-http = "=3.0.0-beta.9"
|
||||
actix-rt = "2.2.0"
|
||||
actix-server = "=2.0.0-beta.5"
|
||||
actix-service = "2.0.0"
|
||||
actix-tls = "=3.0.0-beta.5"
|
||||
actix-web = "=4.0.0-beta.8"
|
||||
actix-web-httpauth = "0.6.0-beta.2"
|
||||
anyhow = "*"
|
||||
@@ -30,21 +29,22 @@ juniper_actix = "0.4.0"
|
||||
jwt = "0.13"
|
||||
ldap3_server = "=0.1.11"
|
||||
log = "*"
|
||||
native-tls = "0.2.10"
|
||||
orion = "0.16"
|
||||
rustls = "0.20"
|
||||
serde = "*"
|
||||
serde_json = "1"
|
||||
sha2 = "0.9"
|
||||
sqlx-core = "0.5.11"
|
||||
thiserror = "*"
|
||||
time = "0.2"
|
||||
tokio-native-tls = "0.3"
|
||||
tokio-rustls = "0.23"
|
||||
tokio-stream = "*"
|
||||
tokio-util = "0.6.3"
|
||||
tracing = "*"
|
||||
tracing-actix-web = "0.4.0-beta.7"
|
||||
tracing-attributes = "^0.1.21"
|
||||
tracing-log = "*"
|
||||
rustls-pemfile = "1.0.0"
|
||||
|
||||
[dependencies.chrono]
|
||||
features = ["serde"]
|
||||
@@ -63,7 +63,8 @@ version = "0.3"
|
||||
features = ["env-filter", "tracing-log"]
|
||||
|
||||
[dependencies.lettre]
|
||||
features = ["builder", "serde", "smtp-transport", "tokio1-native-tls", "tokio1"]
|
||||
features = ["builder", "serde", "smtp-transport", "tokio1-rustls-tls"]
|
||||
default-features = false
|
||||
version = "0.10.0-rc.3"
|
||||
|
||||
[dependencies.sqlx]
|
||||
@@ -74,7 +75,7 @@ features = [
|
||||
"macros",
|
||||
"mysql",
|
||||
"postgres",
|
||||
"runtime-actix-native-tls",
|
||||
"runtime-actix-rustls",
|
||||
"sqlite",
|
||||
]
|
||||
|
||||
@@ -92,10 +93,6 @@ features = ["with-chrono", "sqlx-sqlite", "sqlx-any"]
|
||||
[dependencies.opaque-ke]
|
||||
version = "0.6"
|
||||
|
||||
[dependencies.openssl-sys]
|
||||
features = ["vendored"]
|
||||
version = "*"
|
||||
|
||||
[dependencies.rand]
|
||||
features = ["small_rng", "getrandom"]
|
||||
version = "0.8"
|
||||
@@ -116,5 +113,9 @@ version = "*"
|
||||
features = ["smallvec", "chrono", "tokio"]
|
||||
version = "^0.1.4"
|
||||
|
||||
[dependencies.actix-tls]
|
||||
features = ["default", "rustls"]
|
||||
version = "=3.0.0-beta.5"
|
||||
|
||||
[dev-dependencies]
|
||||
mockall = "0.9.1"
|
||||
|
||||
@@ -10,8 +10,7 @@ use actix_server::ServerBuilder;
|
||||
use actix_service::{fn_service, ServiceFactoryExt};
|
||||
use anyhow::{Context, Result};
|
||||
use ldap3_server::{proto::LdapMsg, LdapCodec};
|
||||
use native_tls::{Identity, TlsAcceptor};
|
||||
use tokio_native_tls::TlsAcceptor as NativeTlsAcceptor;
|
||||
use tokio_rustls::TlsAcceptor as RustlsTlsAcceptor;
|
||||
use tokio_util::codec::{FramedRead, FramedWrite};
|
||||
use tracing::{debug, error, info, instrument};
|
||||
|
||||
@@ -54,19 +53,6 @@ where
|
||||
Ok(true)
|
||||
}
|
||||
|
||||
fn get_file_as_byte_vec(filename: &str) -> Result<Vec<u8>> {
|
||||
(|| -> Result<Vec<u8>> {
|
||||
use std::fs::{metadata, File};
|
||||
use std::io::Read;
|
||||
let mut f = File::open(&filename).context("file not found")?;
|
||||
let metadata = metadata(&filename).context("unable to read metadata")?;
|
||||
let mut buffer = vec![0; metadata.len() as usize];
|
||||
f.read(&mut buffer).context("buffer overflow")?;
|
||||
Ok(buffer)
|
||||
})()
|
||||
.context(format!("while reading file {}", filename))
|
||||
}
|
||||
|
||||
#[instrument(skip_all, level = "info", name = "LDAP session")]
|
||||
async fn handle_ldap_stream<Stream, Backend>(
|
||||
stream: Stream,
|
||||
@@ -103,12 +89,31 @@ where
|
||||
Ok(requests.into_inner().unsplit(resp.into_inner()))
|
||||
}
|
||||
|
||||
fn get_tls_acceptor(config: &Configuration) -> Result<NativeTlsAcceptor> {
|
||||
fn get_tls_acceptor(config: &Configuration) -> Result<RustlsTlsAcceptor> {
|
||||
use rustls::{Certificate, PrivateKey, ServerConfig};
|
||||
use rustls_pemfile::{certs, pkcs8_private_keys};
|
||||
use std::{fs::File, io::BufReader};
|
||||
// Load TLS key and cert files
|
||||
let cert_file = get_file_as_byte_vec(&config.ldaps_options.cert_file)?;
|
||||
let key_file = get_file_as_byte_vec(&config.ldaps_options.key_file)?;
|
||||
let identity = Identity::from_pkcs8(&cert_file, &key_file)?;
|
||||
Ok(TlsAcceptor::new(identity)?.into())
|
||||
let certs = certs(&mut BufReader::new(File::open(
|
||||
&config.ldaps_options.cert_file,
|
||||
)?))?
|
||||
.into_iter()
|
||||
.map(Certificate)
|
||||
.collect::<Vec<_>>();
|
||||
let private_key = pkcs8_private_keys(&mut BufReader::new(File::open(
|
||||
&config.ldaps_options.key_file,
|
||||
)?))?
|
||||
.into_iter()
|
||||
.map(PrivateKey)
|
||||
.next()
|
||||
.ok_or_else(|| anyhow::anyhow!("No private keys"))?;
|
||||
let server_config = std::sync::Arc::new(
|
||||
ServerConfig::builder()
|
||||
.with_safe_defaults()
|
||||
.with_no_client_auth()
|
||||
.with_single_cert(certs, private_key)?,
|
||||
);
|
||||
Ok(server_config.into())
|
||||
}
|
||||
|
||||
pub fn build_ldap_server<Backend>(
|
||||
|
||||
Reference in New Issue
Block a user