alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2efd4cf7c5f0969112a28bca34b15e1b5a37b3bc
alknet/tasks/transport/tls-transport.md

2.4 KiB
Raw Blame History

id, name, status, depends_on, scope, risk, impact, level
id name status depends_on scope risk impact level
transport/tls-transport Implement TlsTransport and TlsAcceptor (feature-gated tls) pending
transport/tcp-transport
transport/trait-and-types
moderate medium component implementation

Description

Implement TLS transport that wraps TCP with tokio-rustls. Client-side: TlsTransport establishes a TCP connection and wraps it with a TLS client session. Server-side: TlsAcceptor accepts TCP connections and wraps them with a TLS server session.

Supports:

  • Manual cert/key configuration (--tls-cert, --tls-key)
  • insecure mode (accept self-signed certs) for development
  • tls_server_name override for SNI (ADR-010)
  • Stealth mode support requires peeking at first bytes post-TLS-handshake (handled in server task, but TLS stream must support this)

Feature-gated behind tls feature flag.

Acceptance Criteria

  • crates/wraith-core/src/transport/tls.rs (behind #[cfg(feature = "tls")])
  • TlsTransport holds: target addr, optional tls_server_name, insecure flag, optional root cert for verification
  • TlsTransport::connect() does TCP connect then TLS client handshake via tokio_rustls::TlsConnector
  • When insecure, accepts any certificate (dangerous, webpki_roots::CertStore bypass or custom verifier)
  • When not insecure, verifies server cert against system roots + optional custom CA
  • TlsTransport::describe() returns e.g. "tls://example.com:443"
  • TlsAcceptor holds: TcpListener, ServerConfig (from rustls::ServerConfig)
  • TlsAcceptor::accept() does TCP accept then TLS server handshake via tokio_rustls::TlsAcceptor
  • TlsAcceptor constructor accepts: tls_cert path/data, tls_key path/data, optional ACME config (stub for now)
  • TransportInfo.transport_kind is TransportKind::Tls { server_name }
  • Module re-exported from transport/mod.rs behind #[cfg(feature = "tls")]
  • Unit tests for connect/accept with self-signed certs (insecure mode)
  • Integration test: full TLS client-to-server connection succeeds

References

  • docs/architecture/transport.md — TlsTransport row, TLS cert provisioning
  • docs/architecture/server.md — TLS certificate provisioning modes
  • docs/architecture/decisions/008-acme-lets-encrypt.md — ACME cert support (feature-gated)

Notes

To be filled by implementation agent

Summary

To be filled on completion

Reference in New Issue View Git Blame Copy Permalink