add ktls handling

2026-05-24 00:20:37 +00:00 · 2024-08-21 14:42:41 +01:00
parent 987a859352
commit aabbd55187
4 changed files with 26 additions and 9 deletions
--- a/proxy/src/config.rs
+++ b/proxy/src/config.rs
@@ -110,13 +110,19 @@ pub fn configure_tls(

    let cert_resolver = Arc::new(cert_resolver);

+    let provider = rustls::crypto::aws_lc_rs::default_provider();
+    #[cfg(target_os = "linux")]
+    let provider = {
+        let mut provider = provider;
+        let compat = ktls::CompatibleCiphers::new()?;
+        provider.cipher_suites.retain(|s| compat.is_supported(s));
+    };
+
    // allow TLS 1.2 to be compatible with older client libraries
-    let mut config = rustls::ServerConfig::builder_with_protocol_versions(&[
-        &rustls::version::TLS13,
-        &rustls::version::TLS12,
-    ])
-    .with_no_client_auth()
-    .with_cert_resolver(cert_resolver.clone());
+    let mut config = rustls::ServerConfig::builder_with_provider(Arc::new(provider))
+        .with_protocol_versions(&[&rustls::version::TLS13, &rustls::version::TLS12])?
+        .with_no_client_auth()
+        .with_cert_resolver(cert_resolver.clone());

    config.alpn_protocols = vec![PG_ALPN_PROTOCOL.to_vec()];

--- a/proxy/src/proxy/handshake.rs
+++ b/proxy/src/proxy/handshake.rs
@@ -32,6 +32,10 @@ pub enum HandshakeError {
    #[error("{0}")]
    StreamUpgradeError(#[from] StreamUpgradeError),

+    #[cfg(target_os = "linux")]
+    #[error("{0}")]
+    KtlsUpgradeError(#[from] ktls::Error),
+
    #[error("{0}")]
    Io(#[from] std::io::Error),

@@ -119,6 +123,9 @@ pub async fn handshake<S: AsyncRead + AsyncWrite + Unpin>(
                            ));
                        };

+                        #[cfg(target_os = "linux")]
+                        let raw = ktls::CorkStream::new(raw);
+
                        let mut read_buf = read_buf.reader();
                        let mut res = Ok(());
                        let accept = tokio_rustls::TlsAcceptor::from(tls.to_server_config())
@@ -179,7 +186,7 @@ pub async fn handshake<S: AsyncRead + AsyncWrite + Unpin>(
                                    #[cfg(not(target_os = "linux"))]
                                    tls: Box::new(tls_stream),
                                    #[cfg(target_os = "linux")]
-                                    tls: {},
+                                    tls: ktls::config_ktls_server(tls_stream)?,
                                    tls_server_end_point,
                                },
                                read_buf,