feat: Implement TLS for control channel #1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![google-labs-jules[bot]](https://avatars.githubusercontent.com/in/842251?s=80&v=4){kind=small}
This change adds TLS encryption to the control connection between the `uniqx` client and server, enhancing the security of the tunnel. The server can now be configured to use TLS by providing a certificate and a private key using the `--cert` and `--key` command-line arguments. The client can enable TLS for its connection using the `--tls` flag. For development and testing purposes, an `--insecure` flag has also been added to allow the client to connect to servers using self-signed certificates. This implementation uses the `rustls` and `tokio-rustls` crates. The existing integration tests have been updated to accommodate the new function signatures.
Add the `description`, `license`, `repository`, and `authors` fields to the `Cargo.toml` files for the `shared`, `client`, and `server` crates. This metadata is required to publish these crates to `crates.io` as part of the workspace.
This change introduces a `--ca-cert` flag for the client. This flag allows a user to specify a path to a custom Certificate Authority (CA) certificate file. The client will use this certificate to verify the server's TLS certificate. This provides a secure alternative to the `--insecure` flag when connecting to a server that uses a self-signed certificate. Instead of disabling validation entirely, the client can be told to trust a specific, known certificate. The `README.md` has also been updated to document this new feature and recommend it as the preferred method for handling self-signed certificates.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch implements TLS encryption for the control channel connection between the
uniqxclient and server.Key changes:
--certand--keyflags to load a TLS certificate and private key, enabling the server to accept secure connections.--tlsflag to initiate a TLS connection and an--insecureflag to bypass certificate verification for development purposes.rustlsandtokio-rustlsfor the TLS logic. ASecureStreamenum was implemented to transparently handle both plain TCP and TLS streams in the connection logic for both the client and server.