Upgrade a insecure tokio::net::TcpStream to TLS

What is the proper way to upgrade an existing tokio::net::TcpStream connection to TLS? Examples are appreciated and I would prefer to use rustls.

In this part:

let mut pem = BufReader::new(File::open(cafile)?);
        let certs = rustls_pemfile::certs(&mut pem)?;
        let trust_anchors = certs.iter().map(|cert| {
            let ta = webpki::TrustAnchor::try_from_cert_der(&cert[..]).unwrap();
            OwnedTrustAnchor::from_subject_spki_name_constraints(
                ta.subject,
                ta.spki,
                ta.name_constraints,
            )
        });

Assuming I'm using Let's Encrypt which file does it want there?

You can probably use webpki-roots instead of loading a PEM file: TLS_SERVER_ROOTS in webpki_roots - Rust

Sorry, what does this mean? The goal I have in mind here is to use a Let's Encrypt cert I have provisioned. I thought to do a proper exchange it had to be my cert, but that webpki thing is somehow connected to Mozilla's roots. I don't understand that.

Also what is the domain meant to be in the code sample you posted? Is it my domain or the endpoint's domain?

Finally how does this example translate for tokio_rustls?

If you are a client you should fill in the domain name of the server and use webpki_roots as root cert store (the root cert store is the list of CA's to trust issueing server certificates (trust anchors)). If you are the server, I think you are incorrectly trying to use the client api. The server api doesn't have any trust anchor concept. Instead you only pass a single certficate + private key where the certificate is issued by for example Let's Encrypt.

1 Like

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.