DTLS v1.2 support in newer OpenSSL (1.1 and 3.0) and LibreSSL 3.3.2

[dbodden-pesa]

We are using DTLSv1_2 methods w/ OpenSSL 3.

These are not exposed, however I tested with the following diff, and it seems to work:

diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs
index f179a04a..e11be066 100644
--- a/openssl-sys/src/handwritten/ssl.rs
+++ b/openssl-sys/src/handwritten/ssl.rs
@@ -679,6 +679,8 @@ cfg_if! {
             pub fn TLS_server_method() -> *const SSL_METHOD;
 
             pub fn TLS_client_method() -> *const SSL_METHOD;
+
+            pub fn DTLSv1_2_method() -> *const SSL_METHOD;
         }
     } else {
         extern "C" {
@@ -699,7 +701,7 @@ cfg_if! {
 
             pub fn DTLSv1_method() -> *const SSL_METHOD;
 
-            #[cfg(ossl102)]
+            #[cfg(any(ossl102,libressl332))]
             pub fn DTLSv1_2_method() -> *const SSL_METHOD;
         }
     }

I have not tested the LibreSSL related change, but according to this link it should be correct:

openbsd/src@e6d8839

I can make a pull request if you like. Not sure the general upstreaming guidelines.

-Doug

[sfackler]

Sure - feel free to make a PR

[dbodden-pesa]

Ok I have a branch ready to go (minor revisions). Can't push a branch up, need perms I think.

[sfackler]

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request

[dbodden-pesa]

#1829

[sfackler]

Actually, are you sure the new binding is actually needed? Typically you'd just use DTLS_method and the configure the context around what DTLS versions you wanted to support.

[dbodden-pesa]

We believe we need it as we have to specify the version of dTLS to do what we need to do. Is there some documentation to configure the context in rust-openssl? IS there any reason to stop exposing these methods? The explicitly versioned symbols were already being exposed in the existing mainline; unless you want to remove all the other publicly exposed methods what reason would there be not to do this as well?

[sfackler]

In the modern era of OpenSSL (I think 1.1.0 and newer?) applications should only use TLS_method and DTLS_method. The others only exist for backwards compatibility.

You can use https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_options along with https://docs.rs/openssl/latest/openssl/ssl/struct.SslOptions.html#associatedconstant.NO_DTLSV1.

[dbodden-pesa]

I am reading the OpenSSL source because I don't see any obvious way or examples in the rust-openssl package to apply the necessary settings for dTLS. Can you point me to anything in particular?

[sfackler]

rust-openssl/openssl/src/ssl/connector.rs

Line 235 in 9ea51ec

ctx.set_options(SslOptions::NO_TLSV1 | SslOptions::NO_TLSV1_1);

Replace NO_TLSV1 with NO_DTLSV1.

[dbodden-pesa]

In order to utilize the SslAcceptorBuilder to build a custom acceptor in this manner, I believe I needed to expose the SslContextBuilder as a public member. I have some code making these changes in connector.rs. Unless I misunderstood something:

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 39f729df..eeedd067 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -245,7 +245,7 @@ impl SslAcceptor {
         ctx.set_ciphersuites(
             "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256",
         )?;
-        Ok(SslAcceptorBuilder(ctx))
+        Ok(SslAcceptorBuilder {cbuilder: ctx })
     }
 
     /// Creates a new builder configured to connect to modern clients.
@@ -263,7 +263,7 @@ impl SslAcceptor {
         ctx.set_ciphersuites(
             "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256",
         )?;
-        Ok(SslAcceptorBuilder(ctx))
+        Ok(SslAcceptorBuilder {cbuilder: ctx })
     }
 
     /// Creates a new builder configured to connect to non-legacy clients. This should generally be
@@ -292,7 +292,7 @@ impl SslAcceptor {
              EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:\
              AES256-SHA:DES-CBC3-SHA:!DSS",
         )?;
-        Ok(SslAcceptorBuilder(ctx))
+        Ok(SslAcceptorBuilder {cbuilder: ctx })
     }
 
     /// Creates a new builder configured to connect to modern clients.
@@ -315,7 +315,7 @@ impl SslAcceptor {
              ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
              ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256",
         )?;
-        Ok(SslAcceptorBuilder(ctx))
+        Ok(SslAcceptorBuilder {cbuilder: ctx })
     }
 
     /// Initiates a server-side TLS session on a stream.
@@ -339,12 +339,14 @@ impl SslAcceptor {
 }
 
 /// A builder for `SslAcceptor`s.
-pub struct SslAcceptorBuilder(SslContextBuilder);
+pub struct SslAcceptorBuilder {
+    pub cbuilder: SslContextBuilder
+}
 
 impl SslAcceptorBuilder {
     /// Consumes the builder, returning a `SslAcceptor`.
     pub fn build(self) -> SslAcceptor {
-        SslAcceptor(self.0.build())
+        SslAcceptor(self.cbuilder.build())
     }
 }
 
@@ -352,13 +354,13 @@ impl Deref for SslAcceptorBuilder {
     type Target = SslContextBuilder;
 
     fn deref(&self) -> &SslContextBuilder {
-        &self.0
+        &self.cbuilder
     }
 }
 
 impl DerefMut for SslAcceptorBuilder {
     fn deref_mut(&mut self) -> &mut SslContextBuilder {
-        &mut self.0
+        &mut self.cbuilder
     }
 }

[sfackler]

You definitely do not need to make it public. The Deref trait allows you to call methods on it through SslAcceptorBuilder.