结构体 ServerConfig 

pub struct ServerConfig {

    pub ignore_client_order: bool,
    pub max_fragment_size: Option<usize>,
    pub session_storage: Arc<dyn StoresServerSessions>,
    pub ticketer: Arc<dyn ProducesTickets>,
    pub cert_resolver: Arc<dyn ResolvesServerCert>,
    pub alpn_protocols: Vec<Vec<u8>>,
    pub key_log: Arc<dyn KeyLog>,
    pub enable_secret_extraction: bool,
    pub max_early_data_size: u32,
    pub send_half_rtt_data: bool,
    pub send_tls13_tickets: usize,
    pub time_provider: Arc<dyn TimeProvider>,
    pub cert_compressors: Vec<&'static dyn CertCompressor>,
    pub cert_compression_cache: Arc<CompressionCache>,
    pub cert_decompressors: Vec<&'static dyn CertDecompressor>,
    /* private fields */
}

Common configuration 用于 一个 set of server sessions.

Making one of these is cheap, though one of the inputs may be expensive: gathering trust roots 从 the operating system 到 add 到 the RootCertStore passed 到 一个 ClientCertVerifier builder may take on the order of 一个 few hundred milliseconds.

These must be created via the ServerConfig::builder() 或 ServerConfig::builder_with_provider() function.

Defaults

• ServerConfig::max_fragment_size: the default is None (meaning 16kB).
• ServerConfig::session_storage: if the std feature is enabled, the default stores 256 sessions in memory. If the std feature is not enabled, the default is to not store any sessions. In a no-std context, by enabling the hashbrown feature you may provide your own session_storage using ServerSessionMemoryCache and a crate::lock::MakeMutex implementation.
• ServerConfig::alpn_protocols: the default is empty – no ALPN protocol is negotiated.
• ServerConfig::key_log: key material is not logged.
• ServerConfig::send_tls13_tickets: 2 tickets are sent.
• ServerConfig::cert_compressors: depends on the crate features, see compress::default_cert_compressors().
• ServerConfig::cert_compression_cache: caches the most recently used 4 compressions
• ServerConfig::cert_decompressors: depends on the crate features, see compress::default_cert_decompressors().

Sharing resumption storage between ServerConfigs

In 一个 program using many ServerConfigs it may improve resumption rates (which has 一个 significant impact on connection performance) if those configs share ServerConfig::session_storage 或 ServerConfig::ticketer。

但是，需要注意：其他字段也会影响会话的安全性， 不同会话之间恢复连接时可能会出现意外。如果共享 ServerConfig::session_storage 或 ServerConfig::ticketer between two ServerConfigs, you should also evaluate the following fields 并 ensure they are equivalent:

• ServerConfig::verifier – client authentication requirements,
• ServerConfig::cert_resolver – server identities.

To illustrate, imagine two ServerConfigs A 并 B。 A requires client authentication, B does not. If A 并 B shared 一个 resumption store, it would be possible 用于 一个 session originated by B (，, an unauthenticated client) 到 be inserted into the store, 并 then resumed by A。 This would give 一个 false impression 到 the user of A that the client was authenticated. This is possible whether the resumption is performed statefully (via ServerConfig::session_storage) 或 statelessly (via ServerConfig::ticketer)。

与 ClientConfig 不同，rustls 在此处不强制任何策略。

字段

ignore_client_order: bool

忽略客户端的密码套件顺序，而是 从服务器列表中选择第一个 且受客户端支持的密码套件。

max_fragment_size: Option<usize>

此 maximum size of 明文 input 到 be emitted in 一个 single TLS record. A value of None is equivalent 到 the TLS maximum of 16 kB.

rustls enforces an arbitrary minimum of 32 bytes 用于 this field. Out of range values are reported as errors 从 ServerConnection::new。

Setting this value 到 一个 little less than the TCP MSS may improve latency 用于 stream-y workloads.

session_storage: Arc<dyn StoresServerSessions>

如何存储客户端会话。

，请参见ServerConfig 用于 一个 warning related 到 this field.

ticketer: Arc<dyn ProducesTickets>

如何生成 ticket。

，请参见ServerConfig 用于 一个 warning related 到 this field.

cert_resolver: Arc<dyn ResolvesServerCert>

如何选择服务器证书和密钥。通常通过 ConfigBuilder::with_single_cert 或 ConfigBuilder::with_cert_resolver。 For async applications, see also Acceptor。

alpn_protocols: Vec<Vec<u8>>

我们支持的协议名称，最优先的排在最前面。 如果为空，则完全不做 ALPN 协商。

key_log: Arc<dyn KeyLog>

How 到 output 密钥材料 用于 debugging. 此 default does nothing.

enable_secret_extraction: bool

Allows traffic secrets 到 be extracted after the handshake, e.g. 用于 kTLS setup.

max_early_data_size: u32

Amount of early data 到 accept 用于 sessions created by this config. Specify 0 到 disable early data. 此 default is 0.

Read the early data via ServerConnection::early_data。

此 units 用于 this are both 明文 bytes, 并 ciphertext bytes, depending on whether the server accepts 一个 client’s early_data 或 not. It is therefore recommended 到 include some slop in this value 到 account 用于 the unknown amount of ciphertext expansion in the latter case.

send_half_rtt_data: bool

Whether the server should send “0.5RTT” data. This means the server sends data after its first flight of handshake messages, without waiting 用于 the client 到 complete the handshake.

This can improve TTFB latency 用于 either server-speaks-first protocols, 或 client-speaks-first protocols when paired with “0RTT” data. This comes at the cost of 一个 subtle weakening of the normal handshake integrity guarantees that TLS provides. Note that the initial ClientHello is indirectly authenticated because it is included in the transcript 用 到 derive the keys 用 到 encrypt 数据.

This only applies 到 TLS 1.3 connections. TLS1.2 connections cannot do this optimisation 并 this setting is ignored 用于 them. It is also ignored 用于 TLS 1.3 connections that even attempt client authentication.

This defaults 到 false. This means the first application data sent by the server comes after receiving 并 validating the client’s handshake up 到 the Finished message. This 是 safest option.

send_tls13_tickets: usize

在一次成功的 握手后立即发送多少 TLS 1.3 ticket。

Because TLS 1.3 tickets are single-use, this allows 一个 client 到 perform multiple resumptions.

此 default is 2.

If this is 0, no tickets are sent 并 clients will not be able 到 do any resumption.

time_provider: Arc<dyn TimeProvider>

提供当前系统时间

cert_compressors: Vec<&'static dyn CertCompressor>

如何压缩服务器的证书链。

If 一个 client supports this extension, 并 advertises support 用于 one of the compression algorithms included here, the server certificate ， compressed according 到 RFC8779。

This only applies 到 TLS 1.3 connections. It is ignored 用于 TLS1.2 connections.

cert_compression_cache: Arc<CompressionCache>

Caching 用于 compressed 证书

This is optional: compress::CompressionCache::Disabled gives 一个 cache that does no caching.

cert_decompressors: Vec<&'static dyn CertDecompressor>

如何解压客户端的证书链。

If this is non-empty, the RFC8779 certificate compression extension is offered when requesting client authentication, 并 any compressed certificates are transparently decompressed during the handshake.

This only applies 到 TLS 1.3 connections. It is ignored 用于 TLS1.2 connections.

实现

impl ServerConfig

pub fn builder() -> ConfigBuilder<Self, WantsVerifier>

创建一个 builder 用于 一个 server configuration with the process-default CryptoProvider 并 safe protocol version defaults.

更多信息请参阅 ConfigBuilder 文档。

pub fn builder_with_protocol_versions( versions: &[&'static SupportedProtocolVersion], ) -> ConfigBuilder<Self, WantsVerifier>

创建一个 builder 用于 一个 server configuration with the process-default CryptoProvider 并 the provided protocol versions.

Panics if

• the supported versions are not compatible with the provider (eg. the combination of ciphersuites supported by the provider and supported versions lead to zero cipher suites being usable),
• if a CryptoProvider cannot be resolved using a combination of the crate features and process default.

更多信息请参阅 ConfigBuilder 文档。

pub fn builder_with_provider( provider: Arc<CryptoProvider>, ) -> ConfigBuilder<Self, WantsVersions>

创建一个 builder 用于 一个 server configuration with 一个 specific CryptoProvider。

This will use the provider’s configured ciphersuites. You must additionally choose which protocol versions 到 enable, using with_protocol_versions 或 with_safe_default_protocol_versions 并 handling the Result in case 一个 protocol version is not supported by the provider’s ciphersuites.

更多信息请参阅 ConfigBuilder 文档。

pub fn builder_with_details( provider: Arc<CryptoProvider>, time_provider: Arc<dyn TimeProvider>, ) -> ConfigBuilder<Self, WantsVersions>

创建一个 builder 用于 一个 server configuration with no default implementation details.

This API must be 用于 no_std users.

You must provide 一个 specific TimeProvider。

You must provide 一个 specific CryptoProvider。

This will use the provider’s configured ciphersuites. You must additionally choose which protocol versions 到 enable, using with_protocol_versions 或 with_safe_default_protocol_versions 并 handling the Result in case 一个 protocol version is not supported by the provider’s ciphersuites.

更多信息请参阅 ConfigBuilder 文档。

pub fn fips(&self) -> bool

Return true if connections made with this ServerConfig will operate in FIPS mode.

This is different 从 CryptoProvider::fips(): CryptoProvider::fips() is concerned only with cryptography, whereas this also covers TLS-level configuration that NIST recommends.

pub fn crypto_provider(&self) -> &Arc<CryptoProvider>

返回用于构造此客户端配置的密码提供者

Trait 实现

impl Clone for ServerConfig

fn clone(&self) -> ServerConfig

返回值的副本。 更多信息

fn clone_from(&mut self, source: &Self)

Performs copy-assignment 从 source. 更多信息

impl Debug for ServerConfig

fn fmt(&self, f: &mut Formatter<'_>) -> Result

使用给定的格式化器格式化此值。 更多信息

impl ConfigSide for ServerConfig