Expand description
TLS server configuration and client certificate verification.
Builds a rustls::ServerConfig from the Kipuka [tls] config section.
Supports:
- Server certificate chain and private key loading from PEM files
- Client certificate verification with a dedicated EST truststore (RHELBU-3536 R18: separate from admin truststore)
- TLS 1.2+ enforcement (NIAP CA PP FTP_TRP.1)
- Channel binding computation for
tls-server-end-point(RFC 5929) - OCSP response stapling (RFC 6066 Section 8 / RFC 7633)
§OCSP Stapling (RFC 6066 Section 8)
When OCSP stapling is enabled, the server fetches an OCSP response for
its own certificate from the OCSP responder (extracted from the AIA
extension or configured explicitly) and provides it during the TLS
handshake via the status_request extension.
§Must-Staple (RFC 7633)
If the server’s TLS certificate contains the TLS Feature Extension
(OID 1.3.6.1.5.5.7.1.24, value status_request(5)), the server MUST
provide a stapled OCSP response. Compliant clients abort the handshake
if no response is stapled. The OcspStapler background task handles
periodic refresh of the stapled response.
Structs§
- Ocsp
Stapler - Background task that periodically refreshes the stapled OCSP response.
- Stapled
Ocsp Response - Cached OCSP response for TLS stapling.
Functions§
- build_
tls_ acceptor - Build a
TlsAcceptorfrom the Kipuka TLS configuration. - compute_
channel_ binding - Compute the
tls-server-end-pointchannel binding value (RFC 5929). - has_
must_ staple_ extension - Check whether a DER-encoded certificate contains the TLS Feature Extension (must-staple, OID 1.3.6.1.5.5.7.1.24).
Type Aliases§
- Ocsp
Response Handle - Shared handle to the current stapled OCSP response.