Comments (6)
Hi,
Today, wtransport
should already provide a way to cover your use case.
In particular, wtransport
exposes TLS configuration backed by rustls
. When creating your wtransport
client configuration, a custom TLS configuration can be set with with_custom_tls. This allows you to fully customize the TLS layer.
rustls::ClientConfig
allows you to create a custom certificate validator using set_certificate_verifier.
A verifier is quite easy to implement, and you can place the custom logic for certificate validation here.
Inside wtransport
, the same mechanism is used to create a NoCertVerifier
. You can have a look here.
Of course, in your case, your verifier can simply check against hashes.
Having said that, I am curious about the use case. I am wondering if the application is self-hosted, with_no_cert_validation
should not have security implications (if machine-local).
Moreover, your feedback makes me wonder if wtransport
might expose some wrapper around that to emulate the serverCertificateHashes
.
Feel free to ask if something is not clear or if you need more information.
Thank you for your feedback.
from wtransport.
Additional tips you might need:
wtransport
re-exportrustls
with the correct version. You should be able to get access torustls
directly viawtransport::tls::rustls
See doc here.- When creating a custom TLS layer, you should remember to set the correct ALPN. See here. It is just a "binary string". See here
from wtransport.
expose some wrapper around that to emulate the serverCertificateHashes.
adding that to the builder would definitely be useful!
from wtransport.
Before modifying wtransport
interface, I would like to better understand the possible usage and use case.
Asking because W3C serverCertificateHashes
has some security concerns and forces some constraints.
For example:
[...] the total length of the validity period MUST NOT exceed two weeks.
from wtransport.
I would expect that because this is a helper function, the constraints on the native api match the constraints on the browser api. If someone needs a native client to bypass these constraints, they could reach for the lower level api.
In my case, I am using wtransport because I want my game to support web clients. Therefore I want my native clients and web clients to work similarly (so I don't find out later down the line that I'm doing something on native that is prevented in the browser apis).
as for security concerns, I send this hash out of band via a HTTPS relay, and I ensure that the hash is signed so I can prove that im not being man in the middled. I don't agree that the hashes "effectively downgrades the security properties of the resulting transport" as that poster was claiming.
from wtransport.
I've opened a PR: #131
If you want to have a look and provide some feedback. Thanks
from wtransport.
Related Issues (20)
- wasm support? HOT 10
- Feature(s) for rcgen and ring HOT 6
- error: failed to run custom build command for `ls-qpack-sys v0.1.3` HOT 1
- Error displays should be lowercase
- Supporting rustls 0.22
- How to get credentials outside of a demo example HOT 3
- Implement AsyncRead + AsyncWrite for bidirectional stream as a single type. HOT 2
- Error when using my own Tokio runtime HOT 6
- Would be cool to be able to compile the rust client to WASM and use it on the web HOT 2
- Question on writing data and flushing HOT 14
- New release please HOT 1
- Access to low-level quinn details in client HOT 3
- PrivateKeyNotFound when key already exists. HOT 6
- Please implement the Clone trait for the Identity HOT 1
- Access to low-level `quinn::Connection`
- WebTransport TLS Keying Material Exporter HOT 1
- Create wtransport::Certificate directly from rcgen::Certificate HOT 3
- dnsResolver is not send HOT 3
- Simple library method for self-signed cert generation
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wtransport.