The following type aliases are available globally.
A custom verification callback.
This verification callback is usually called more than once per connection, as it is called once per certificate in the peer’s complete certificate chain (including the root CA). The calls proceed from root to leaf, ending with the peer’s leaf certificate. Each time it is invoked with 2 arguments:
- The result of the BoringSSL verification for this certificate
SSLCertificatefor this level of the chain.
Please be cautious with calling out from this method. This method is always invoked on the event loop, so you must not block or wait. It is not possible to return an
EventLoopFuturefrom this method, as it must not block or wait. Additionally, this method must take care to ensure that it does not cause any ChannelHandler to recursively call back into the
NIOSSLHandlerthat triggered it, as making re-entrant calls into BoringSSL is not supported by SwiftNIO and leads to undefined behaviour.
In general, the only safe thing to do here is to either perform some cryptographic operations, to log, or to store the
NIOSSLCertificatesomewhere for later consumption. The easiest way to be sure that the
NIOSSLCertificateis safe to consume is to wait for a user event that shows the handshake as completed, or for channelInactive.
warning: This callback uses the old-style OpenSSL callback behaviour and is excessively complex to program with. Instead, prefer using the NIOSSLCustomVerificationCallback style which receives the entire trust chain at once, and also supports asynchronous certificate verification.
A custom verification callback that allows completely overriding the certificate verification logic of BoringSSL.
This verification callback is called no more than once per connection attempt. It is invoked with two arguments:
- The certificate chain presented by the peer, in the order the peer presented them (with the first certificate being the leaf certificate presented by the peer).
EventLoopPromisethat must be completed to signal the result of the verification.
Please be cautious with calling out from this method. This method is always invoked on the event loop, so you must not block or wait. However, you may perform asynchronous work by leaving the event loop context: when the verification is complete you must complete the provided
This method must take care to ensure that it does not cause any
ChannelHandlerto recursively call back into the
NIOSSLHandlerthat triggered it, as making re-entrant calls into BoringSSL is not supported by SwiftNIO and leads to undefined behaviour. It is acceptable to leave the event loop context and then call into the
NIOSSLHandler, as this will not be re-entrant.
Note that setting this callback will override all verification logic that BoringSSL provides.
A callback that can be used to implement
Wireshark can decrypt packet captures that contain encrypted TLS connections if they have access to the session keys used to perform the encryption. These keys are normally stored in a file that has a specific file format. This callback is the low-level primitive that can be used to write such a file.
When set, this callback will be invoked once per secret. The provided
ByteBufferwill contain the bytes that need to be written into the file, including the newline character.
WarningPlease be aware that enabling support for
SSLKEYLOGFILEthrough this callback will put the secrecy of your connections at risk. You should only do so when you are confident that it will not be possible to extract those secrets unnecessarily.
public typealias NIOSSLKeyLogCallback = (ByteBuffer) -> Void
A representation of BoringSSL’s internal error stack: a list of BoringSSL errors.
public typealias NIOBoringSSLErrorStack = [BoringSSLInternalError]
NIOSSLPassphraseCallbackis a callback that will be invoked by NIOSSL when it needs to get access to a private key that is stored in encrypted form.
This callback will be invoked with one argument, a non-escaping closure that must be called with the passphrase. Failing to call the closure will cause decryption to fail.
The reason this design has been used is to allow you to secure any memory storing the passphrase after use. We guarantee that after the
NIOSSLPassphraseSetterclosure has been invoked the
Collectionyou have passed in will no longer be needed by BoringSSL, and so you can safely destroy any memory it may be using if you need to.
public typealias NIOSSLPassphraseCallback<Bytes> = (NIOSSLPassphraseSetter<Bytes>) throws -> Void where Bytes : Collection, Bytes.Element == UInt8
NIOSSLPassphraseSetteris a closure that you must invoke to provide a passphrase to BoringSSL. It will be provided to you when your
public typealias NIOSSLPassphraseSetter<Bytes> = (Bytes) -> Void where Bytes : Collection, Bytes.Element == UInt8