alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
596c89ce24ac5974512a57ccd0380bde81818af8
alknet/tasks/transport/tls-transport.md
glm-5.1 596c89ce24 refactor!: rebrand wraith to alknet 
Rename all crates, CLI commands, constants, type names, doc comments,
and documentation from wraith to alknet. Includes wire-protocol changes:
ALPN wraith-ssh -> alknet-ssh, reserved destination prefix wraith- ->
alknet-, SSH auth username wraith -> alknet.
2026-06-05 10:04:32 +00:00

2.4 KiB
Raw Blame History

id, name, status, depends_on, scope, risk, impact, level
id name status depends_on scope risk impact level
transport/tls-transport Implement TlsTransport and TlsAcceptor (feature-gated tls) pending
transport/tcp-transport
transport/trait-and-types
moderate medium component implementation

Description

Implement TLS transport that wraps TCP with tokio-rustls. Client-side: TlsTransport establishes a TCP connection and wraps it with a TLS client session. Server-side: TlsAcceptor accepts TCP connections and wraps them with a TLS server session.

Supports:

  • Manual cert/key configuration (--tls-cert, --tls-key)
  • insecure mode (accept self-signed certs) for development
  • tls_server_name override for SNI (ADR-010)
  • Stealth mode support requires peeking at first bytes post-TLS-handshake (handled in server task, but TLS stream must support this)

Feature-gated behind tls feature flag.

Acceptance Criteria

  • crates/alknet-core/src/transport/tls.rs (behind #[cfg(feature = "tls")])
  • TlsTransport holds: target addr, optional tls_server_name, insecure flag, optional root cert for verification
  • TlsTransport::connect() does TCP connect then TLS client handshake via tokio_rustls::TlsConnector
  • When insecure, accepts any certificate (dangerous, webpki_roots::CertStore bypass or custom verifier)
  • When not insecure, verifies server cert against system roots + optional custom CA
  • TlsTransport::describe() returns e.g. "tls://example.com:443"
  • TlsAcceptor holds: TcpListener, ServerConfig (from rustls::ServerConfig)
  • TlsAcceptor::accept() does TCP accept then TLS server handshake via tokio_rustls::TlsAcceptor
  • TlsAcceptor constructor accepts: tls_cert path/data, tls_key path/data, optional ACME config (stub for now)
  • TransportInfo.transport_kind is TransportKind::Tls { server_name }
  • Module re-exported from transport/mod.rs behind #[cfg(feature = "tls")]
  • Unit tests for connect/accept with self-signed certs (insecure mode)
  • Integration test: full TLS client-to-server connection succeeds

References

  • docs/architecture/transport.md — TlsTransport row, TLS cert provisioning
  • docs/architecture/server.md — TLS certificate provisioning modes
  • docs/architecture/decisions/008-acme-lets-encrypt.md — ACME cert support (feature-gated)

Notes

To be filled by implementation agent

Summary

To be filled on completion

Reference in New Issue View Git Blame Copy Permalink