Skip to content

Commit ba825b8

Browse files
jmayclinjmayclin
authored
example(bindings): client hello cb example (#4385)
1 parent e1f6f01 commit ba825b8

File tree

14 files changed

+420
-1
lines changed

14 files changed

+420
-1
lines changed

.github/workflows/ci_rust.yml

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,9 @@ on:
1111
env:
1212
# Pin the nightly toolchain to prevent breakage.
1313
# This should be occasionally updated.
14-
RUST_NIGHTLY_TOOLCHAIN: nightly-2022-08-03
14+
RUST_NIGHTLY_TOOLCHAIN: nightly-2024-01-01
1515
ROOT_PATH: bindings/rust
16+
EXAMPLE_WORKSPACE: bindings/rust-examples
1617

1718
jobs:
1819
generate:
@@ -78,6 +79,24 @@ jobs:
7879
- name: bench tests
7980
working-directory: ${{env.ROOT_PATH}}/bench
8081
run: cargo test
82+
83+
s2n-tls-binding-examples:
84+
runs-on: ubuntu-latest
85+
steps:
86+
- uses: actions/checkout@v3
87+
88+
- uses: actions-rs/toolchain@v1
89+
id: toolchain
90+
with:
91+
toolchain: stable
92+
override: true
93+
94+
- name: generate bindings
95+
run: ${{env.ROOT_PATH}}/generate.sh --skip-tests
96+
97+
- name: build examples
98+
working-directory: ${{env.EXAMPLE_WORKSPACE}}
99+
run: cargo build
81100

82101
generate-openssl-102:
83102
runs-on: ubuntu-latest

bindings/rust-examples/.gitignore

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
*target/
2+
*Cargo.lock

bindings/rust-examples/Cargo.toml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
[workspace]
2+
members = [
3+
"client-hello-config-resolution",
4+
]
5+
resolver = "2"
6+
7+
[workspace.package]
8+
version = "0.0.1"
9+
authors = ["AWS s2n"]
10+
publish = false
11+
license = "Apache-2.0"
12+
edition = "2021"

bindings/rust-examples/client-hello-config-resolution/Cargo.toml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
[package]
2+
name = "client-hello-config-resolution"
3+
version.workspace = true
4+
authors.workspace = true
5+
publish.workspace = true
6+
license.workspace = true
7+
edition.workspace = true
8+
9+
[dependencies]
10+
clap = { version = "4", features = ["derive"] }
11+
s2n-tls = { path = "../../rust/s2n-tls" }
12+
s2n-tls-tokio = { path = "../../rust/s2n-tls-tokio" }
13+
tokio = { version = "1", features = ["full"] }

bindings/rust-examples/client-hello-config-resolution/README.md

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
This example shows how to use the s2n-tls client hello callback to configure different TLS configs based on the Server Name Indication (SNI) in the client hello. The [server](src/bin/server.rs) sets up two configs for two different sni's, `www.wombat.com` and `www.kangaroo.com`. These configs are set up with different cipher preferences so that the allowed TLS versions are dependent on the client SNI.
2+
3+
To run this example, first start the server in one terminal
4+
```
5+
cargo run --bin server
6+
```
7+
Then run the client in another terminal, setting the appropriate SNI.
8+
9+
### Kangaroo SNI
10+
```
11+
cargo run --bin client www.kangaroo.com
12+
```
13+
```
14+
TlsStream {
15+
connection: Connection {
16+
handshake_type: "NEGOTIATED|FULL_HANDSHAKE|MIDDLEBOX_COMPAT",
17+
cipher_suite: "TLS_AES_128_GCM_SHA256",
18+
actual_protocol_version: TLS13,
19+
selected_curve: "x25519",
20+
..
21+
},
22+
}
23+
The server said Hello, you are speaking to www.kangaroo.com
24+
```
25+
We can see that the server successfully responded with the appropriate `www.kangaroo.com` certificate, resulting in a successful handshake.
26+
27+
### Wombat SNI
28+
```
29+
cargo run --bin client www.wombat.com
30+
```
31+
```
32+
TlsStream {
33+
connection: Connection {
34+
handshake_type: "NEGOTIATED|FULL_HANDSHAKE|TLS12_PERFECT_FORWARD_SECRECY",
35+
cipher_suite: "ECDHE-ECDSA-AES128-SHA",
36+
actual_protocol_version: TLS12,
37+
selected_curve: "secp256r1",
38+
..
39+
},
40+
}
41+
The server said Hello, you are speaking to www.wombat.com
42+
```
43+
Once again there is a successful handshake showing that the server responded with the proper certificate. In this case, the config that the server configured for `www.wombat.com` did not support TLS 1.3, so the TLS 1.2 was negotiated instead.

bindings/rust-examples/client-hello-config-resolution/certs/ca-cert.pem

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIB3DCCAWKgAwIBAgIUaAjZTaFhJNRyFtFQut1CdrY7RH0wCgYIKoZIzj0EAwMw
3+
HDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwMTI3MDAwODQ4WhgP
4+
MjIwMzA3MDQwMDA4NDhaMBwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQDDARyb290MHYw
5+
EAYHKoZIzj0CAQYFK4EEACIDYgAEclmOmfFLoQR+mupZSc7J3IfZ6OV0IphUHWwv
6+
iH9BvkGh4OX+RZfafa4hw90A5fk0ps520Dt04tHwotLBNkdQcWDJunOhw8ydebIP
7+
TaP0V8OgxFs+P4kpBkMVNB3H+PK6o2MwYTAdBgNVHQ4EFgQU2ic6pZKpiyOr5aPt
8+
YhABB9hJC5QwHwYDVR0jBBgwFoAU2ic6pZKpiyOr5aPtYhABB9hJC5QwDwYDVR0T
9+
AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwCgYIKoZIzj0EAwMDaAAwZQIxAMtZ
10+
+QqC0LGdqUxdr2woMr6pUNAaZYaxm6APPqyKsjVqNaKadiSueNbbbc+seKJXbwIw
11+
Zl0HNHzmoNAMkpgx5BCukjL1v07C571diSW4Z/P96t8tUzi/2rUOoFlJYU0B8cib
12+
-----END CERTIFICATE-----

bindings/rust-examples/client-hello-config-resolution/certs/generate.sh

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
#!/usr/bin/env bash
2+
3+
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
4+
# SPDX-License-Identifier: Apache-2.0
5+
6+
# immediately bail if any command fails
7+
set -e
8+
9+
echo "generating CA"
10+
openssl req -new -noenc -x509 \
11+
-newkey ec \
12+
-pkeyopt ec_paramgen_curve:P-384 \
13+
-keyout ca-key.pem \
14+
-out ca-cert.pem \
15+
-days 65536 \
16+
-SHA384 \
17+
-subj "/C=US/CN=root" \
18+
-addext "basicConstraints = critical,CA:true" \
19+
-addext "keyUsage = critical,keyCertSign"
20+
21+
echo "generating wombat private key and CSR"
22+
openssl req -new -noenc \
23+
-newkey ec \
24+
-pkeyopt ec_paramgen_curve:P-384 \
25+
-keyout wombat-key.pem \
26+
-out wombat.csr \
27+
-subj "/C=US/CN=wombat" \
28+
-addext "subjectAltName = DNS:www.wombat.com"
29+
30+
echo "generating kangaroo private key and CSR"
31+
openssl req -new -noenc \
32+
-newkey ec \
33+
-pkeyopt ec_paramgen_curve:P-384 \
34+
-keyout kangaroo-key.pem \
35+
-out kangaroo.csr \
36+
-subj "/C=US/CN=kangaroo" \
37+
-addext "subjectAltName = DNS:www.kangaroo.com"
38+
39+
echo "generating wombat server certificate and signing it"
40+
openssl x509 -days 65536 \
41+
-req -in wombat.csr \
42+
-SHA384 \
43+
-CA ca-cert.pem \
44+
-CAkey ca-key.pem \
45+
-CAcreateserial \
46+
-out wombat-cert.pem \
47+
-copy_extensions=copyall
48+
49+
echo "generating kangaroo certificate and signing it"
50+
openssl x509 -days 65536 \
51+
-req -in kangaroo.csr \
52+
-SHA384 \
53+
-CA ca-cert.pem \
54+
-CAkey ca-key.pem \
55+
-CAcreateserial \
56+
-out kangaroo-cert.pem \
57+
-copy_extensions=copyall
58+
59+
touch wombat-chain.pem
60+
cat wombat-cert.pem >> wombat-chain.pem
61+
cat ca-cert.pem >> wombat-chain.pem
62+
63+
touch kangaroo-chain.pem
64+
cat kangaroo-cert.pem >> kangaroo-chain.pem
65+
cat ca-cert.pem >> kangaroo-chain.pem
66+
67+
echo "verifying server certificates"
68+
openssl verify -CAfile ca-cert.pem wombat-cert.pem
69+
openssl verify -CAfile ca-cert.pem kangaroo-cert.pem
70+
71+
# certificate signing requests are never used after the certs are generated
72+
rm wombat.csr
73+
rm kangaroo.csr
74+
rm ca-cert.srl
75+
76+
# the private keys of the CA are never needed after signing
77+
rm ca-key.pem
78+
rm wombat-cert.pem
79+
rm kangaroo-cert.pem
80+

bindings/rust-examples/client-hello-config-resolution/certs/kangaroo-chain.pem

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIB3TCCAWKgAwIBAgIUJhUgxiGTEOtg0JBtu9SrS7PPvo0wCgYIKoZIzj0EAwMw
3+
HDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwMTI3MDAwODQ4WhgP
4+
MjIwMzA3MDQwMDA4NDhaMCAxCzAJBgNVBAYTAlVTMREwDwYDVQQDDAhrYW5nYXJv
5+
bzB2MBAGByqGSM49AgEGBSuBBAAiA2IABCzesg6GHI5tMP4JuMvpiVHsc+CStyTy
6+
JQQZ4jyj4fVfgqCcPVo6qJq6DjPepMRkm5tLtFrdavl8/ZZpiCi5vLSymUxliFXD
7+
9DD8GO5naaBnW2EmuYCcNrB0FJJfKZurVKNfMF0wGwYDVR0RBBQwEoIQd3d3Lmth
8+
bmdhcm9vLmNvbTAdBgNVHQ4EFgQUNmsIZH0IDGVlSy7V6BYZTE6NX1QwHwYDVR0j
9+
BBgwFoAU2ic6pZKpiyOr5aPtYhABB9hJC5QwCgYIKoZIzj0EAwMDaQAwZgIxAJzE
10+
GC8hKsqTmDxI4r7bewI/vjtKyEUf0BDJfRrSLixPySYRTbx950iHMo6kXB0DEwIx
11+
AO02gaF9weybuklR+DZ/j6EEZk4HlaRvN575vKmdDYIUF4KpFcT/8f85+5klj9Tl
12+
Hg==
13+
-----END CERTIFICATE-----
14+
-----BEGIN CERTIFICATE-----
15+
MIIB3DCCAWKgAwIBAgIUaAjZTaFhJNRyFtFQut1CdrY7RH0wCgYIKoZIzj0EAwMw
16+
HDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwMTI3MDAwODQ4WhgP
17+
MjIwMzA3MDQwMDA4NDhaMBwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQDDARyb290MHYw
18+
EAYHKoZIzj0CAQYFK4EEACIDYgAEclmOmfFLoQR+mupZSc7J3IfZ6OV0IphUHWwv
19+
iH9BvkGh4OX+RZfafa4hw90A5fk0ps520Dt04tHwotLBNkdQcWDJunOhw8ydebIP
20+
TaP0V8OgxFs+P4kpBkMVNB3H+PK6o2MwYTAdBgNVHQ4EFgQU2ic6pZKpiyOr5aPt
21+
YhABB9hJC5QwHwYDVR0jBBgwFoAU2ic6pZKpiyOr5aPtYhABB9hJC5QwDwYDVR0T
22+
AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwCgYIKoZIzj0EAwMDaAAwZQIxAMtZ
23+
+QqC0LGdqUxdr2woMr6pUNAaZYaxm6APPqyKsjVqNaKadiSueNbbbc+seKJXbwIw
24+
Zl0HNHzmoNAMkpgx5BCukjL1v07C571diSW4Z/P96t8tUzi/2rUOoFlJYU0B8cib
25+
-----END CERTIFICATE-----

bindings/rust-examples/client-hello-config-resolution/certs/kangaroo-key.pem

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
-----BEGIN PRIVATE KEY-----
2+
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB8OJA0z/nzPkogIasW
3+
B8xhhROb0sDbHEqYwStAdDKEWGCLGyy46/5sMprtht8bBpahZANiAAQs3rIOhhyO
4+
bTD+CbjL6YlR7HPgkrck8iUEGeI8o+H1X4KgnD1aOqiaug4z3qTEZJubS7Ra3Wr5
5+
fP2WaYgouby0splMZYhVw/Qw/BjuZ2mgZ1thJrmAnDawdBSSXymbq1Q=
6+
-----END PRIVATE KEY-----

bindings/rust-examples/client-hello-config-resolution/certs/wombat-chain.pem

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIB2DCCAV6gAwIBAgIUJhUgxiGTEOtg0JBtu9SrS7PPvowwCgYIKoZIzj0EAwMw
3+
HDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwMTI3MDAwODQ4WhgP
4+
MjIwMzA3MDQwMDA4NDhaMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQDDAZ3b21iYXQw
5+
djAQBgcqhkjOPQIBBgUrgQQAIgNiAARUye9Qgw5N7T8nk6DFoUwPVzSnQy9v4v0V
6+
8SOUZmRwBqmFSJ9Vm988BwAcPFHdmQ13Za4XTkDbQvMmgzntIIIziiyaJQAazRFG
7+
Y2Ex4V/YBiIsuh5wPOXjtvOtgVMXBgijXTBbMBkGA1UdEQQSMBCCDnd3dy53b21i
8+
YXQuY29tMB0GA1UdDgQWBBS+Tbl0gagSNimLM5q2EgeBIMEAfzAfBgNVHSMEGDAW
9+
gBTaJzqlkqmLI6vlo+1iEAEH2EkLlDAKBggqhkjOPQQDAwNoADBlAjAKqbrvk9by
10+
G278VLs7F8uvc1mFYYWv/ZnnQIEJT8srO+P57PtC5FBId5oK28P41EUCMQCim4LR
11+
KzY/PcdY8NlAcHu/caWvGH2+FWm7jFyr8As5oXT0swbqYmMqpaK6E2EZNIk=
12+
-----END CERTIFICATE-----
13+
-----BEGIN CERTIFICATE-----
14+
MIIB3DCCAWKgAwIBAgIUaAjZTaFhJNRyFtFQut1CdrY7RH0wCgYIKoZIzj0EAwMw
15+
HDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwMTI3MDAwODQ4WhgP
16+
MjIwMzA3MDQwMDA4NDhaMBwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQDDARyb290MHYw
17+
EAYHKoZIzj0CAQYFK4EEACIDYgAEclmOmfFLoQR+mupZSc7J3IfZ6OV0IphUHWwv
18+
iH9BvkGh4OX+RZfafa4hw90A5fk0ps520Dt04tHwotLBNkdQcWDJunOhw8ydebIP
19+
TaP0V8OgxFs+P4kpBkMVNB3H+PK6o2MwYTAdBgNVHQ4EFgQU2ic6pZKpiyOr5aPt
20+
YhABB9hJC5QwHwYDVR0jBBgwFoAU2ic6pZKpiyOr5aPtYhABB9hJC5QwDwYDVR0T
21+
AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwCgYIKoZIzj0EAwMDaAAwZQIxAMtZ
22+
+QqC0LGdqUxdr2woMr6pUNAaZYaxm6APPqyKsjVqNaKadiSueNbbbc+seKJXbwIw
23+
Zl0HNHzmoNAMkpgx5BCukjL1v07C571diSW4Z/P96t8tUzi/2rUOoFlJYU0B8cib
24+
-----END CERTIFICATE-----

0 commit comments

Comments
 (0)