feat: TLS session resumption

Author: link2xt

src/imap/client.rs

@@ -242,7 +242,7 @@ impl Client {
         let buffered_tcp_stream = client.into_inner();
         let tcp_stream = buffered_tcp_stream.into_inner();
 
-        let tls_stream = wrap_tls(strict_tls, host, "", tcp_stream)
+        let tls_stream = wrap_tls(strict_tls, host, addr.port(), "", tcp_stream)
             .await
             .context("STARTTLS upgrade failed")?;
 
@@ -262,7 +262,7 @@ impl Client {
         let proxy_stream = proxy_config
             .connect(context, domain, port, strict_tls)
             .await?;
-        let tls_stream = wrap_tls(strict_tls, domain, alpn(port), proxy_stream).await?;
+        let tls_stream = wrap_tls(strict_tls, domain, port, alpn(port), proxy_stream).await?;
         let buffered_stream = BufWriter::new(tls_stream);
         let session_stream: Box<dyn SessionStream> = Box::new(buffered_stream);
         let mut client = Client::new(session_stream);
@@ -315,7 +315,7 @@ impl Client {
         let buffered_proxy_stream = client.into_inner();
         let proxy_stream = buffered_proxy_stream.into_inner();
 
-        let tls_stream = wrap_tls(strict_tls, hostname, "", proxy_stream)
+        let tls_stream = wrap_tls(strict_tls, hostname, port, "", proxy_stream)
             .await
             .context("STARTTLS upgrade failed")?;
         let buffered_stream = BufWriter::new(tls_stream);

src/net.rs

@@ -130,7 +130,7 @@ pub(crate) async fn connect_tls_inner(
     alpn: &str,
 ) -> Result<impl SessionStream> {
     let tcp_stream = connect_tcp_inner(addr).await?;
-    let tls_stream = wrap_tls(strict_tls, host, alpn, tcp_stream).await?;
+    let tls_stream = wrap_tls(strict_tls, host, addr.port(), alpn, tcp_stream).await?;
     Ok(tls_stream)
 }
 

src/net/http.rs

@@ -72,11 +72,11 @@ where
                 let proxy_stream = proxy_config
                     .connect(context, host, port, load_cache)
                     .await?;
-                let tls_stream = wrap_rustls(host, "", proxy_stream).await?;
+                let tls_stream = wrap_rustls(host, port, "", proxy_stream).await?;
                 Box::new(tls_stream)
             } else {
                 let tcp_stream = crate::net::connect_tcp(context, host, port, load_cache).await?;
-                let tls_stream = wrap_rustls(host, "", tcp_stream).await?;
+                let tls_stream = wrap_rustls(host, port, "", tcp_stream).await?;
                 Box::new(tls_stream)
             }
         }

src/net/proxy.rs

@@ -425,7 +425,8 @@ impl ProxyConfig {
                     load_cache,
                 )
                 .await?;
-                let tls_stream = wrap_rustls(&https_config.host, "", tcp_stream).await?;
+                let tls_stream =
+                    wrap_rustls(&https_config.host, https_config.port, "", tcp_stream).await?;
                 let auth = if let Some((username, password)) = &https_config.user_password {
                     Some((username.as_str(), password.as_str()))
                 } else {

src/net/tls.rs

@@ -1,18 +1,24 @@
 //! TLS support.
+use std::collections::HashMap;
 use std::sync::Arc;
 
 use anyhow::Result;
+use once_cell::sync::Lazy;
+use parking_lot::Mutex;
 
 use crate::net::session::SessionStream;
 
+use tokio_rustls::rustls::client::ClientSessionStore;
+
 pub async fn wrap_tls(
     strict_tls: bool,
     hostname: &str,
+    port: u16,
     alpn: &str,
     stream: impl SessionStream + 'static,
 ) -> Result<impl SessionStream> {
     if strict_tls {
-        let tls_stream = wrap_rustls(hostname, alpn, stream).await?;
+        let tls_stream = wrap_rustls(hostname, port, alpn, stream).await?;
         let boxed_stream: Box<dyn SessionStream> = Box::new(tls_stream);
         Ok(boxed_stream)
     } else {
@@ -35,8 +41,12 @@ pub async fn wrap_tls(
     }
 }
 
+static RESUMPTION_STORE: Lazy<Mutex<HashMap<(u16, String), Arc<dyn ClientSessionStore>>>> =
+    Lazy::new(Default::default);
+
 pub async fn wrap_rustls(
     hostname: &str,
+    port: u16,
     alpn: &str,
     stream: impl SessionStream,
 ) -> Result<impl SessionStream> {
@@ -52,6 +62,27 @@ pub async fn wrap_rustls(
         vec![alpn.as_bytes().to_vec()]
     };
 
+    // Enable TLS 1.3 session resumption.
+    //
+    // TLS 1.2 has worse security,
+    // not risking it: <https://words.filippo.io/we-need-to-talk-about-session-tickets/>
+    let resumption_store;
+    {
+        let mut lock = RESUMPTION_STORE.lock();
+        let entry = lock.entry((port, alpn.to_string()));
+        let store = entry.or_insert_with(|| {
+            // This is the default as of version 0.23.16, but make it shared between clients.
+            Arc::new(tokio_rustls::rustls::client::ClientSessionMemoryCache::new(
+                256,
+            ))
+        });
+        resumption_store = Arc::clone(store);
+    }
+
+    let resumption = tokio_rustls::rustls::client::Resumption::store(resumption_store)
+        .tls12_resumption(tokio_rustls::rustls::client::Tls12Resumption::Disabled);
+    config.resumption = resumption;
+
     let tls = tokio_rustls::TlsConnector::from(Arc::new(config));
     let name = rustls_pki_types::ServerName::try_from(hostname)?.to_owned();
     let tls_stream = tls.connect(name, stream).await?;

src/smtp/connect.rs

@@ -225,7 +225,7 @@ async fn connect_secure_proxy(
     let proxy_stream = proxy_config
         .connect(context, hostname, port, strict_tls)
         .await?;
-    let tls_stream = wrap_tls(strict_tls, hostname, alpn(port), proxy_stream).await?;
+    let tls_stream = wrap_tls(strict_tls, hostname, port, alpn(port), proxy_stream).await?;
     let mut buffered_stream = BufStream::new(tls_stream);
     skip_smtp_greeting(&mut buffered_stream).await?;
     let session_stream: Box<dyn SessionBufStream> = Box::new(buffered_stream);
@@ -248,7 +248,7 @@ async fn connect_starttls_proxy(
     skip_smtp_greeting(&mut buffered_stream).await?;
     let transport = new_smtp_transport(buffered_stream).await?;
     let tcp_stream = transport.starttls().await?.into_inner();
-    let tls_stream = wrap_tls(strict_tls, hostname, "", tcp_stream)
+    let tls_stream = wrap_tls(strict_tls, hostname, port, "", tcp_stream)
         .await
         .context("STARTTLS upgrade failed")?;
     let buffered_stream = BufStream::new(tls_stream);
@@ -293,7 +293,7 @@ async fn connect_starttls(
     skip_smtp_greeting(&mut buffered_stream).await?;
     let transport = new_smtp_transport(buffered_stream).await?;
     let tcp_stream = transport.starttls().await?.into_inner();
-    let tls_stream = wrap_tls(strict_tls, host, "", tcp_stream)
+    let tls_stream = wrap_tls(strict_tls, host, addr.port(), "", tcp_stream)
         .await
         .context("STARTTLS upgrade failed")?;