pub struct ClientConnection { /* private fields */ }
Expand description

This represents a single TLS client connection.

Implementations

Make a new ClientConnection. config controls how we behave in the TLS protocol, name is the name of the server we want to talk to.

Returns an io::Write implementer you can write bytes to to send TLS1.3 early data (a.k.a. “0-RTT data”) to the server.

This returns None in many circumstances when the capability to send early data is not available, including but not limited to:

  • The server hasn’t been talked to previously.
  • The server does not support resumption.
  • The server does not support early data.
  • The resumption data for the server has expired.

The server specifies a maximum amount of early data. You can learn this limit through the returned object, and writes through it will process only this many bytes.

The server can choose not to accept any sent early data – in this case the data is lost but the connection continues. You can tell this happened using is_early_data_accepted.

Returns True if the server signalled it will process early data.

If you sent early data and this returns false at the end of the handshake then the server will not process the data. This is not an error, but you may wish to resend the data.

Methods from Deref<Target = ConnectionCommon<ClientConnectionData>>

Returns an object that allows reading plaintext.

Returns an object that allows writing plaintext.

This function uses io to complete any outstanding IO for this connection.

This is a convenience function which solely uses other parts of the public API.

What this means depends on the connection state:

The return value is the number of bytes read from and written to io, respectively.

This function will block if io blocks.

Errors from TLS record handling (i.e., from process_new_packets) are wrapped in an io::ErrorKind::InvalidData-kind error.

Processes any new packets read by a previous call to Connection::read_tls.

Errors from this function relate to TLS protocol errors, and are fatal to the connection. Future calls after an error will do no new work and will return the same error. After an error is received from process_new_packets, you should not call read_tls any more (it will fill up buffers to no purpose). However, you may call the other methods on the connection, including write, send_close_notify, and write_tls. Most likely you will want to call write_tls to send any alerts queued by the error and then close the underlying connection.

Success from this function comes with some sundry state data about the connection.

Read TLS content from rd. This method does internal buffering, so rd can supply TLS messages in arbitrary- sized chunks (like a socket or pipe might).

You should call process_new_packets each time a call to this function succeeds.

The returned error only relates to IO on rd. TLS-level errors are emitted from process_new_packets.

This function returns Ok(0) when the underlying rd does so. This typically happens when a socket is cleanly closed, or a file is at EOF.

Derives key material from the agreed connection secrets.

This function fills in output with output.len() bytes of key material derived from the master session secret using label and context for diversification.

See RFC5705 for more details on what this does and is for.

For TLS1.3 connections, this function does not use the “early” exporter at any point.

This function fails if called prior to the handshake completing; check with CommonState::is_handshaking first.

Methods from Deref<Target = CommonState>

Returns true if the caller should call CommonState::write_tls as soon as possible.

Returns true if the connection is currently performing the TLS handshake.

During this time plaintext written to the connection is buffered in memory. After Connection::process_new_packets has been called, this might start to return false while the final handshake packets still need to be extracted from the connection’s buffers.

Retrieves the certificate chain used by the peer to authenticate.

The order of the certificate chain is as it appears in the TLS protocol: the first certificate relates to the peer, the second certifies the first, the third certifies the second, and so on.

This is made available for both full and resumed handshakes.

For clients, this is the certificate chain of the server.

For servers, this is the certificate chain of the client, if client authentication was completed.

The return value is None until this value is available.

Retrieves the protocol agreed with the peer via ALPN.

A return value of None after handshake completion means no protocol was agreed (because no protocols were offered or accepted by the peer).

Retrieves the ciphersuite agreed with the peer.

This returns None until the ciphersuite is agreed.

Retrieves the protocol version agreed with the peer.

This returns None until the version is agreed.

Writes TLS messages to wr.

On success, this function returns Ok(n) where n is a number of bytes written to wr (after encoding and encryption).

After this function returns, the connection buffer may not yet be fully flushed. The CommonState::wants_write function can be used to check if the output buffer is empty.

Sets a limit on the internal buffers used to buffer unsent plaintext (prior to completing the TLS handshake) and unsent TLS records. This limit acts only on application data written through Connection::writer.

By default the limit is 64KB. The limit can be set at any time, even if the current buffer use is higher.

None means no limit applies, and will mean that written data is buffered without bound – it is up to the application to appropriately schedule its plaintext and TLS writes to bound memory usage.

For illustration: Some(1) means a limit of one byte applies: Connection::writer will accept only one byte, encrypt it and add a TLS header. Once this is sent via CommonState::write_tls, another byte may be sent.

Internal write-direction buffering

rustls has two buffers whose size are bounded by this setting:

Buffering of unsent plaintext data prior to handshake completion

Calls to Connection::writer before or during the handshake are buffered (up to the limit specified here). Once the handshake completes this data is encrypted and the resulting TLS records are added to the outgoing buffer.

Buffering of outgoing TLS records

This buffer is used to store TLS records that rustls needs to send to the peer. It is used in these two circumstances:

This buffer is emptied by CommonState::write_tls.

Queues a close_notify warning alert to be sent in the next CommonState::write_tls call. This informs the peer that the connection is being closed.

Returns true if the caller should call Connection::read_tls as soon as possible.

If there is pending plaintext data to read with Connection::reader, this returns false. If your application respects this mechanism, only one full TLS message will be buffered by rustls.

Trait Implementations

Formats the value using the given formatter. Read more

The resulting type after dereferencing.

Dereferences the value.

Mutably dereferences the value.

Performs the conversion.

Auto Trait Implementations

Blanket Implementations

Gets the TypeId of self. Read more

Immutably borrows from an owned value. Read more

Mutably borrows from an owned value. Read more

Returns the argument unchanged.

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

The type returned in the event of a conversion error.

Performs the conversion.

The type returned in the event of a conversion error.

Performs the conversion.