Provide an example for how to create a custom cert resolver or how to use ResolvesServerCertUsingSni

[firstdorsal]

Hi!
I am trying to add a custom cert resolver to a rustls/hyper setup but found it difficult to use ResolvesServerCertUsingSni as well as creating my own resolver.

Would it be possible to provide a example for this case?

Working with https://github.com/rustls/hyper-rustls/blob/main/examples/server.rs works fine and is comprehensible for me.
The with_cert_resolver function on the other hand is not easy to understand from the provided documentation.

 let mut cfg = rustls::ServerConfig::builder()
    .with_safe_defaults()
    .with_no_client_auth()
    .with_cert_resolver(/* what exactly needs to be provided here? */);

Thank you and all the best!
Paul

[firstdorsal]

I figured it out:

use std::sync::Arc;

use rustls::{
    server::{ClientHello, ResolvesServerCert},
    sign::CertifiedKey,
};

pub struct CertResolver {}

impl ResolvesServerCert for CertResolver {
    fn resolve(&self, client_hello: ClientHello) -> Option<Arc<CertifiedKey>> {
        None
    }
}

let tls_cfg = {
  let resolver = CertResolver {};

  let mut cfg = rustls::ServerConfig::builder()
      .with_safe_defaults()
      .with_no_client_auth()
      .with_cert_resolver(Arc::new(resolver));
  cfg.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
  std::sync::Arc::new(cfg)
};

[djc]

These days I would consider using the rustls Acceptor API instead of using the ResolvesServerCert API. This provides more flexibility and fits better with async code (using the tokio-rustls LazyConfigAcceptor at least).