Struct Ssl 

pub struct Ssl { /* private fields */ }

Per-connection TLS object (SSL*).

Has exclusive ownership over its state; no Clone. BIOs passed to Ssl::set_bio_duplex or Ssl::set_bio are owned by the Ssl thereafter.

Implementations

impl Ssl

pub fn set_bio_duplex(&mut self, bio: Bio)

Set a single duplex BIO for both reading and writing.

Transfers ownership of bio to the SSL object; do not use bio afterwards. Suitable for BIO_new_bio_pair endpoints.

When rbio == wbio (same pointer), OpenSSL only increments the reference count once, so the single reference in bio is correct.

pub fn set_bio(&mut self, rbio: Bio, wbio: Bio)

Set separate read and write BIOs.

Transfers ownership of both rbio and wbio to the SSL object.

pub fn set_hostname(&mut self, hostname: &CStr) -> Result<(), ErrorStack>

Set the SNI hostname extension sent during the TLS handshake.

Call before Self::connect on client connections to enable SNI. hostname must be a NUL-terminated ASCII/UTF-8 hostname.

SSL_set_tlsext_host_name is a C macro expanding to SSL_ctrl(s, 55 /*SSL_CTRL_SET_TLSEXT_HOSTNAME*/, 0 /*TLSEXT_NAMETYPE_host_name*/, name).

Errors

Returns Err if the control call fails.

pub fn set_connect_state(&mut self)

Set this SSL object to operate in client (connect) mode.

Required before calling Self::do_handshake if neither Self::connect nor Self::accept will be used.

pub fn set_accept_state(&mut self)

Set this SSL object to operate in server (accept) mode.

pub fn connect(&mut self) -> Result<(), SslIoError>

Initiate a client-side TLS handshake (SSL_connect).

Returns Ok(()) on success, SslIoError::WantRead / SslIoError::WantWrite when the operation must be retried after more data is available.

Errors

pub fn accept(&mut self) -> Result<(), SslIoError>

Accept an incoming TLS connection (SSL_accept).

Returns Ok(()) on success, SslIoError::WantRead / SslIoError::WantWrite on non-blocking retry.

Errors

pub fn do_handshake(&mut self) -> Result<(), SslIoError>

Drive the TLS handshake in either role (SSL_do_handshake).

The role must have been set via Self::set_connect_state or Self::set_accept_state (or implicitly by Self::connect / Self::accept).

Errors

pub fn read(&mut self, buf: &mut [u8]) -> Result<usize, SslIoError>

Read decrypted application data (SSL_read_ex).

Returns the number of bytes written into buf on success.

Errors

pub fn write(&mut self, buf: &[u8]) -> Result<usize, SslIoError>

Write application data (SSL_write_ex).

Returns the number of bytes consumed from buf on success.

Errors

pub fn shutdown(&mut self) -> Result<ShutdownResult, ErrorStack>

Send a TLS close-notify alert (SSL_shutdown).

Returns ShutdownResult::Sent after the first shutdown stage and ShutdownResult::Complete after a bidirectional shutdown. Call twice on a non-blocking connection to complete the exchange.

Errors

Returns Err on a fatal error during shutdown.

pub fn peer_cert_chain(&self) -> Option<Vec<X509>>

Return the peer’s full certificate chain (leaf + intermediates), or None.

Each certificate in the returned Vec has its reference count independently incremented via X509_up_ref, so the certificates outlive self.

Returns None when:

• the handshake has not yet completed, or
• the peer did not present a certificate (e.g. a server without client-auth configured will see None for the client chain).

An empty Vec is returned if the stack exists but contains no elements (unusual in practice).

Note: this calls SSL_get_peer_cert_chain, which on the server side does not include the leaf certificate — only intermediates. On the client side the full chain including the server leaf is returned. Use Self::peer_certificate to obtain the leaf cert in all cases.

pub fn peer_certificate(&self) -> Option<X509>

Return the peer’s certificate, or None if unavailable.

The returned certificate has its reference count incremented, so it outlives self.

pub fn get1_session(&self) -> Option<SslSession>

Get an owned reference to the current session (SSL_get1_session).

Returns None if no session is established. The session can be passed to Self::set_session on a new Ssl for resumption.

pub fn session(&self) -> Option<BorrowedSslSession<'_>>

Borrow the current session without incrementing the reference count (SSL_get_session).

Returns None if no session is associated with this connection (e.g. the handshake has not yet completed or session caching is disabled).

The returned BorrowedSslSession is valid for the lifetime of self and must not be retained beyond it. Use Self::get1_session if you need a session that outlives the connection.

Lifetimes

The borrow is tied to '_ (the lifetime of self): the SSL_SESSION* is owned by the SSL object and is invalidated when the Ssl is dropped or a new session is negotiated.

pub fn set_session(&mut self, session: &SslSession) -> Result<(), ErrorStack>

Set a previously obtained session for resumption (SSL_set_session).

Call before the handshake.

Errors

pub fn set_verify_hostname(&mut self, hostname: &str) -> Result<(), ErrorStack>

Override the expected server hostname for this connection’s certificate verification.

Use this when one SslCtx is shared across connections to different servers and per-connection hostname checking is needed. Wraps SSL_set1_host.

Errors

Returns Err if hostname contains a NUL byte or if SSL_set1_host fails.

Trait Implementations

impl Drop for Ssl

fn drop(&mut self)

Executes the destructor for this type.

impl Send for Ssl