Expose DTLS version constants in SslVersion#503
Expose DTLS version constants in SslVersion#503vynious wants to merge 1 commit intocloudflare:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR exposes DTLS protocol version constants through the Rust SslVersion type, allowing applications to configure and inspect DTLS versions (e.g., via min/max protocol constraints) when using BoringSSL-backed TLS/DTLS APIs.
Changes:
- Add
SslVersion::DTLS1,SslVersion::DTLS1_2, andSslVersion::DTLS1_3constants backed by BoringSSL version macros. - Extend
SslVersion’sTryFrom<u16>,Debug, andDisplayimplementations to recognize/format DTLS versions. - Add an integration-style test that negotiates DTLS 1.3 and asserts the negotiated version and version string.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
boring/src/ssl/mod.rs |
Adds DTLS version constants and extends TryFrom/Debug/Display to cover DTLS variants. |
boring/src/ssl/test/mod.rs |
Adds a DTLS 1.3 negotiation test to validate enabling and observing DTLS 1.3. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Enable DTLS 1.3 | ||
| ctx.set_max_proto_version(Some(SslVersion::DTLS1_3)) | ||
| .unwrap(); | ||
| let mut ssl = Ssl::new(&ctx.build()).unwrap(); | ||
| ssl.set_mtu(1500).unwrap(); | ||
| let stream = ssl.accept(stream).unwrap(); | ||
|
|
||
| // Verify DTLS 1.3 was negotiated | ||
| let version = stream.ssl().version2().unwrap(); | ||
| assert_eq!(version, SslVersion::DTLS1_3); | ||
|
|
||
| stream | ||
| }); | ||
|
|
||
| let stream = TcpStream::connect(addr).unwrap(); | ||
| let mut ctx = SslContext::builder(SslMethod::dtls()).unwrap(); | ||
| // Enable DTLS 1.3 on client | ||
| ctx.set_max_proto_version(Some(SslVersion::DTLS1_3)) | ||
| .unwrap(); |
There was a problem hiding this comment.
In this test, only set_max_proto_version(Some(SslVersion::DTLS1_3)) is set on each side, which still allows negotiating an older DTLS version if DTLS 1.3 ends up disabled/unavailable at runtime. To make the test’s intent (“negotiate DTLS 1.3”) more deterministic, consider also setting the minimum proto version to DTLS1_3 on both client and server contexts.
| @@ -644,7 +653,10 @@ impl TryFrom<u16> for SslVersion { | |||
| | ffi::TLS1_VERSION | |||
| | ffi::TLS1_1_VERSION | |||
| | ffi::TLS1_2_VERSION | |||
| | ffi::TLS1_3_VERSION => Ok(Self(value)), | |||
| | ffi::TLS1_3_VERSION | |||
| | ffi::DTLS1_VERSION | |||
| | ffi::DTLS1_2_VERSION | |||
| | ffi::DTLS1_3_VERSION => Ok(Self(value)), | |||
| _ => Err("Unknown SslVersion"), | |||
| } | |||
| } | |||
| @@ -658,6 +670,9 @@ impl fmt::Debug for SslVersion { | |||
| Self::TLS1_1 => "TLS1_1", | |||
| Self::TLS1_2 => "TLS1_2", | |||
| Self::TLS1_3 => "TLS1_3", | |||
| Self::DTLS1 => "DTLS1", | |||
| Self::DTLS1_2 => "DTLS1_2", | |||
| Self::DTLS1_3 => "DTLS1_3", | |||
| _ => return write!(f, "{:#06x}", self.0), | |||
| }) | |||
| } | |||
| @@ -671,6 +686,9 @@ impl fmt::Display for SslVersion { | |||
| Self::TLS1_1 => "TLSv1.1", | |||
| Self::TLS1_2 => "TLSv1.2", | |||
| Self::TLS1_3 => "TLSv1.3", | |||
| Self::DTLS1 => "DTLSv1.0", | |||
| Self::DTLS1_2 => "DTLSv1.2", | |||
| Self::DTLS1_3 => "DTLSv1.3", | |||
| _ => return write!(f, "unknown ({:#06x})", self.0), | |||
| }) | |||
| } | |||
There was a problem hiding this comment.
The PR adds DTLS variants to SslVersion’s TryFrom<u16>, Debug, and Display implementations, but the new behavior isn’t directly exercised by a unit test (the added DTLS negotiation test doesn’t cover formatting or TryFrom). Consider adding a small assertion-based test that validates SslVersion::try_from(DTLS*_VERSION as u16) and the expected Debug/Display strings for the new variants.
Expose Rust bindings for DTLS1_VERSION, DTLS1_2_VERSION, and DTLS1_3_VERSION.
This is useful for applications that need to configure or inspect DTLS protocol versions, e.g. when setting min/max version constraints on DTLS connections.