Enum elasticsearch::cert::CertificateValidation
source · [−]pub enum CertificateValidation {
Default,
Full(Certificate),
Certificate(Certificate),
None,
}Expand description
Validation applied to a SSL/TLS certificate, to establish a HTTPS connection.
This requires the native-tls, or rustls-tls feature to be enabled. native-tls is
configured by default.
Examples
Default
The client is configured by default to validate that a certificate used to establish a HTTPS connection is one that is signed by a trusted Certificate Authority (CA) and passes hostname verification. CertificateValidation::Default is a provided variant only to be able to change from another validation mode back to the default.
Full validation
With Elasticsearch running at https://example.com, configured to use a certificate generated
with your own Certificate Authority (CA), and where the certificate contains a CommonName (CN)
or Subject Alternative Name (SAN) that matches the hostname of Elasticsearch
let url = Url::parse("https://example.com")?;
let conn_pool = SingleNodeConnectionPool::new(url);
// load the CA certificate
let mut buf = Vec::new();
File::open("my_ca_cert.pem")?
.read_to_end(&mut buf)?;
let cert = Certificate::from_pem(&buf)?;
let transport = TransportBuilder::new(conn_pool)
.cert_validation(CertificateValidation::Full(cert))
.build()?;
let client = Elasticsearch::new(transport);
let _response = client.ping().send().await?;Certificate validation
This requires the native-tls feature to be enabled.
With Elasticsearch running at https://example.com, configured to use a certificate generated
with your own Certificate Authority (CA)
let url = Url::parse("https://example.com")?;
let conn_pool = SingleNodeConnectionPool::new(url);
// load the CA certificate
let mut buf = Vec::new();
File::open("my_ca_cert.pem")?
.read_to_end(&mut buf)?;
let cert = Certificate::from_pem(&buf)?;
let transport = TransportBuilder::new(conn_pool)
.cert_validation(CertificateValidation::Certificate(cert))
.build()?;
let client = Elasticsearch::new(transport);
let _response = client.ping().send().await?;No validation
No validation is performed on the certificate provided by the server. Use on production clusters is strongly discouraged
let url = Url::parse("https://example.com")?;
let conn_pool = SingleNodeConnectionPool::new(url);
let transport = TransportBuilder::new(conn_pool)
.cert_validation(CertificateValidation::None)
.build()?;
let client = Elasticsearch::new(transport);
let _response = client.ping().send().await?;Variants
Default
Default validation of the certificate, which validates that the certificate provided by the server is signed by a trusted Certificate Authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified by the CommonName (CN) or Subject Alternative Name (SAN) within the certificate.
A trusted CA is one that is trusted by the operating system on which the client is running, which typically means that the CA certificate is in the certificate/truststore of the operating system. This is the default mode of operation.
Full(Certificate)
Full validation of the certificate, which validates that the certificate provided by the server is signed by a trusted Certificate Authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified by the CommonName (CN) or Subject Alternative Name (SAN) within the certificate.
This is useful for self-signed certificates generated by your own CA, where the certificate contains the CommonName (CN) or a Subject Alternative Name (SAN) that matches the server hostname.
Typically, the certificate provided to the client is the Certificate Authority (CA) used to sign the certificate used by the server.
Certificate(Certificate)
Validates that the certificate provided by the server is signed by a trusted Certificate Authority (CA), but does not perform hostname verification.
This is useful for self-signed certificates generated by your own CA that do not contain the CommonName (CN) or a Subject Alternative Name (SAN) that matches the server hostname.
Typically, the certificate provided to the client will be the Certificate Authority (CA) used to sign the certificate used by the server.
Optional
This requires the native-tls feature to be enabled.
None
No validation is performed on the certificate provided by the server.
This disables many of the security benefits of SSL/TLS and should only be used after very careful consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors, and its use on production clusters is strongly discouraged.
Auto Trait Implementations
impl RefUnwindSafe for CertificateValidation
impl Send for CertificateValidation
impl Sync for CertificateValidation
impl Unpin for CertificateValidation
impl UnwindSafe for CertificateValidation
Blanket Implementations
sourceimpl<T> BorrowMut<T> for T where
T: ?Sized,
impl<T> BorrowMut<T> for T where
T: ?Sized,
const: unstable · sourcefn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more
sourceimpl<T> Instrument for T
impl<T> Instrument for T
sourcefn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
sourcefn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
sourceimpl<T> WithSubscriber for T
impl<T> WithSubscriber for T
sourcefn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self> where
S: Into<Dispatch>,
fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self> where
S: Into<Dispatch>,
Attaches the provided Subscriber to this type, returning a
WithDispatch wrapper. Read more
sourcefn with_current_subscriber(self) -> WithDispatch<Self>
fn with_current_subscriber(self) -> WithDispatch<Self>
Attaches the current default Subscriber to this type, returning a
WithDispatch wrapper. Read more