alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
309a58640318f1fb6e626f5892e3c7a782bf5dbf
alknet/tasks/transport/tls-transport.md
glm-5.1 5c820a41e9 tasks: decompose Phase 0a ADR foundation and mark prior tasks completed 
Add 10 new tasks under tasks/architecture/ for Phase 0a (ADR writing):
- 9 ADR tasks (026-034) with dependency-ordered structure
- 1 review checkpoint task before Phase 0b spec writing

ADR dependency graph (3 generations):
  Gen 1 (parallel): 026, 029, 030, 031, 032, 034
  Gen 2 (depends on 029): 027, 028
  Gen 3 (depends on 027+028): 033
  Gen 4: review checkpoint

Also mark all 34 prior implementation tasks as completed — they
were finished but still showing as pending in the taskgraph.
2026-06-07 08:55:33 +00:00

54 lines
2.4 KiB
Markdown
Raw Blame History

---
id: transport/tls-transport
name: Implement TlsTransport and TlsAcceptor (feature-gated tls)
status: completed
depends_on:
- transport/tcp-transport
- transport/trait-and-types
scope: moderate
risk: medium
impact: component
level: implementation
---
## Description
Implement TLS transport that wraps TCP with `tokio-rustls`. Client-side: `TlsTransport` establishes a TCP connection and wraps it with a TLS client session. Server-side: `TlsAcceptor` accepts TCP connections and wraps them with a TLS server session.
Supports:
- Manual cert/key configuration (`--tls-cert`, `--tls-key`)
- insecure mode (accept self-signed certs) for development
- `tls_server_name` override for SNI (ADR-010)
- Stealth mode support requires peeking at first bytes post-TLS-handshake (handled in server task, but TLS stream must support this)
Feature-gated behind `tls` feature flag.
## Acceptance Criteria
- [ ] `crates/alknet-core/src/transport/tls.rs` (behind `#[cfg(feature = "tls")]`)
- [ ] `TlsTransport` holds: target addr, optional `tls_server_name`, `insecure` flag, optional root cert for verification
- [ ] `TlsTransport::connect()` does TCP connect then TLS client handshake via `tokio_rustls::TlsConnector`
- [ ] When `insecure`, accepts any certificate (dangerous, `webpki_roots::CertStore` bypass or custom verifier)
- [ ] When not `insecure`, verifies server cert against system roots + optional custom CA
- [ ] `TlsTransport::describe()` returns e.g. `"tls://example.com:443"`
- [ ] `TlsAcceptor` holds: `TcpListener`, `ServerConfig` (from `rustls::ServerConfig`)
- [ ] `TlsAcceptor::accept()` does TCP accept then TLS server handshake via `tokio_rustls::TlsAcceptor`
- [ ] `TlsAcceptor` constructor accepts: `tls_cert` path/data, `tls_key` path/data, optional ACME config (stub for now)
- [ ] `TransportInfo.transport_kind` is `TransportKind::Tls { server_name }`
- [ ] Module re-exported from `transport/mod.rs` behind `#[cfg(feature = "tls")]`
- [ ] Unit tests for connect/accept with self-signed certs (insecure mode)
- [ ] Integration test: full TLS client-to-server connection succeeds
## References
- docs/architecture/transport.md — TlsTransport row, TLS cert provisioning
- docs/architecture/server.md — TLS certificate provisioning modes
- docs/architecture/decisions/008-acme-lets-encrypt.md — ACME cert support (feature-gated)
## Notes
> To be filled by implementation agent
## Summary
> To be filled on completion
Reference in New Issue View Git Blame Copy Permalink