RubyGems - wreq-rb - Versions diffs - 0.3.0 - Mend

wreq-rb 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (167) hide show

checksums.yaml +7 -0
data/Cargo.lock +2688 -0
data/Cargo.toml +6 -0
data/README.md +179 -0
data/ext/wreq_rb/Cargo.toml +39 -0
data/ext/wreq_rb/extconf.rb +22 -0
data/ext/wreq_rb/src/client.rs +565 -0
data/ext/wreq_rb/src/error.rs +25 -0
data/ext/wreq_rb/src/lib.rs +20 -0
data/ext/wreq_rb/src/response.rs +132 -0
data/lib/wreq-rb/version.rb +5 -0
data/lib/wreq-rb.rb +17 -0
data/patches/0001-add-transfer-size-tracking.patch +292 -0
data/vendor/wreq/Cargo.toml +306 -0
data/vendor/wreq/LICENSE +202 -0
data/vendor/wreq/README.md +122 -0
data/vendor/wreq/examples/cert_store.rs +77 -0
data/vendor/wreq/examples/connect_via_lower_priority_tokio_runtime.rs +258 -0
data/vendor/wreq/examples/emulation.rs +118 -0
data/vendor/wreq/examples/form.rs +14 -0
data/vendor/wreq/examples/http1_websocket.rs +37 -0
data/vendor/wreq/examples/http2_websocket.rs +45 -0
data/vendor/wreq/examples/json_dynamic.rs +41 -0
data/vendor/wreq/examples/json_typed.rs +47 -0
data/vendor/wreq/examples/keylog.rs +16 -0
data/vendor/wreq/examples/request_with_emulation.rs +115 -0
data/vendor/wreq/examples/request_with_interface.rs +37 -0
data/vendor/wreq/examples/request_with_local_address.rs +16 -0
data/vendor/wreq/examples/request_with_proxy.rs +13 -0
data/vendor/wreq/examples/request_with_redirect.rs +22 -0
data/vendor/wreq/examples/request_with_version.rs +15 -0
data/vendor/wreq/examples/tor_socks.rs +24 -0
data/vendor/wreq/examples/unix_socket.rs +33 -0
data/vendor/wreq/src/client/body.rs +304 -0
data/vendor/wreq/src/client/conn/conn.rs +231 -0
data/vendor/wreq/src/client/conn/connector.rs +549 -0
data/vendor/wreq/src/client/conn/http.rs +1023 -0
data/vendor/wreq/src/client/conn/proxy/socks.rs +233 -0
data/vendor/wreq/src/client/conn/proxy/tunnel.rs +260 -0
data/vendor/wreq/src/client/conn/proxy.rs +39 -0
data/vendor/wreq/src/client/conn/tls_info.rs +98 -0
data/vendor/wreq/src/client/conn/uds.rs +44 -0
data/vendor/wreq/src/client/conn/verbose.rs +149 -0
data/vendor/wreq/src/client/conn.rs +323 -0
data/vendor/wreq/src/client/core/body/incoming.rs +485 -0
data/vendor/wreq/src/client/core/body/length.rs +118 -0
data/vendor/wreq/src/client/core/body.rs +34 -0
data/vendor/wreq/src/client/core/common/buf.rs +149 -0
data/vendor/wreq/src/client/core/common/rewind.rs +141 -0
data/vendor/wreq/src/client/core/common/watch.rs +76 -0
data/vendor/wreq/src/client/core/common.rs +3 -0
data/vendor/wreq/src/client/core/conn/http1.rs +342 -0
data/vendor/wreq/src/client/core/conn/http2.rs +307 -0
data/vendor/wreq/src/client/core/conn.rs +11 -0
data/vendor/wreq/src/client/core/dispatch.rs +299 -0
data/vendor/wreq/src/client/core/error.rs +435 -0
data/vendor/wreq/src/client/core/ext.rs +201 -0
data/vendor/wreq/src/client/core/http1.rs +178 -0
data/vendor/wreq/src/client/core/http2.rs +483 -0
data/vendor/wreq/src/client/core/proto/h1/conn.rs +988 -0
data/vendor/wreq/src/client/core/proto/h1/decode.rs +1170 -0
data/vendor/wreq/src/client/core/proto/h1/dispatch.rs +684 -0
data/vendor/wreq/src/client/core/proto/h1/encode.rs +580 -0
data/vendor/wreq/src/client/core/proto/h1/io.rs +879 -0
data/vendor/wreq/src/client/core/proto/h1/role.rs +694 -0
data/vendor/wreq/src/client/core/proto/h1.rs +104 -0
data/vendor/wreq/src/client/core/proto/h2/client.rs +650 -0
data/vendor/wreq/src/client/core/proto/h2/ping.rs +539 -0
data/vendor/wreq/src/client/core/proto/h2.rs +379 -0
data/vendor/wreq/src/client/core/proto/headers.rs +138 -0
data/vendor/wreq/src/client/core/proto.rs +58 -0
data/vendor/wreq/src/client/core/rt/bounds.rs +57 -0
data/vendor/wreq/src/client/core/rt/timer.rs +150 -0
data/vendor/wreq/src/client/core/rt/tokio.rs +99 -0
data/vendor/wreq/src/client/core/rt.rs +25 -0
data/vendor/wreq/src/client/core/upgrade.rs +267 -0
data/vendor/wreq/src/client/core.rs +16 -0
data/vendor/wreq/src/client/emulation.rs +161 -0
data/vendor/wreq/src/client/http/client/error.rs +142 -0
data/vendor/wreq/src/client/http/client/exec.rs +29 -0
data/vendor/wreq/src/client/http/client/extra.rs +77 -0
data/vendor/wreq/src/client/http/client/lazy.rs +79 -0
data/vendor/wreq/src/client/http/client/pool.rs +1105 -0
data/vendor/wreq/src/client/http/client/util.rs +104 -0
data/vendor/wreq/src/client/http/client.rs +1003 -0
data/vendor/wreq/src/client/http/future.rs +99 -0
data/vendor/wreq/src/client/http.rs +1629 -0
data/vendor/wreq/src/client/layer/config/options.rs +156 -0
data/vendor/wreq/src/client/layer/config.rs +116 -0
data/vendor/wreq/src/client/layer/cookie.rs +161 -0
data/vendor/wreq/src/client/layer/decoder.rs +139 -0
data/vendor/wreq/src/client/layer/redirect/future.rs +270 -0
data/vendor/wreq/src/client/layer/redirect/policy.rs +63 -0
data/vendor/wreq/src/client/layer/redirect.rs +145 -0
data/vendor/wreq/src/client/layer/retry/classify.rs +105 -0
data/vendor/wreq/src/client/layer/retry/scope.rs +51 -0
data/vendor/wreq/src/client/layer/retry.rs +151 -0
data/vendor/wreq/src/client/layer/timeout/body.rs +233 -0
data/vendor/wreq/src/client/layer/timeout/future.rs +90 -0
data/vendor/wreq/src/client/layer/timeout.rs +177 -0
data/vendor/wreq/src/client/layer.rs +15 -0
data/vendor/wreq/src/client/multipart.rs +717 -0
data/vendor/wreq/src/client/request.rs +818 -0
data/vendor/wreq/src/client/response.rs +534 -0
data/vendor/wreq/src/client/ws/json.rs +99 -0
data/vendor/wreq/src/client/ws/message.rs +453 -0
data/vendor/wreq/src/client/ws.rs +714 -0
data/vendor/wreq/src/client.rs +27 -0
data/vendor/wreq/src/config.rs +140 -0
data/vendor/wreq/src/cookie.rs +579 -0
data/vendor/wreq/src/dns/gai.rs +249 -0
data/vendor/wreq/src/dns/hickory.rs +78 -0
data/vendor/wreq/src/dns/resolve.rs +180 -0
data/vendor/wreq/src/dns.rs +69 -0
data/vendor/wreq/src/error.rs +502 -0
data/vendor/wreq/src/ext.rs +398 -0
data/vendor/wreq/src/hash.rs +143 -0
data/vendor/wreq/src/header.rs +506 -0
data/vendor/wreq/src/into_uri.rs +187 -0
data/vendor/wreq/src/lib.rs +586 -0
data/vendor/wreq/src/proxy/mac.rs +82 -0
data/vendor/wreq/src/proxy/matcher.rs +806 -0
data/vendor/wreq/src/proxy/uds.rs +66 -0
data/vendor/wreq/src/proxy/win.rs +31 -0
data/vendor/wreq/src/proxy.rs +569 -0
data/vendor/wreq/src/redirect.rs +575 -0
data/vendor/wreq/src/retry.rs +198 -0
data/vendor/wreq/src/sync.rs +129 -0
data/vendor/wreq/src/tls/conn/cache.rs +123 -0
data/vendor/wreq/src/tls/conn/cert_compression.rs +125 -0
data/vendor/wreq/src/tls/conn/ext.rs +82 -0
data/vendor/wreq/src/tls/conn/macros.rs +34 -0
data/vendor/wreq/src/tls/conn/service.rs +138 -0
data/vendor/wreq/src/tls/conn.rs +681 -0
data/vendor/wreq/src/tls/keylog/handle.rs +64 -0
data/vendor/wreq/src/tls/keylog.rs +99 -0
data/vendor/wreq/src/tls/options.rs +464 -0
data/vendor/wreq/src/tls/x509/identity.rs +122 -0
data/vendor/wreq/src/tls/x509/parser.rs +71 -0
data/vendor/wreq/src/tls/x509/store.rs +228 -0
data/vendor/wreq/src/tls/x509.rs +68 -0
data/vendor/wreq/src/tls.rs +154 -0
data/vendor/wreq/src/trace.rs +55 -0
data/vendor/wreq/src/util.rs +122 -0
data/vendor/wreq/tests/badssl.rs +228 -0
data/vendor/wreq/tests/brotli.rs +350 -0
data/vendor/wreq/tests/client.rs +1098 -0
data/vendor/wreq/tests/connector_layers.rs +227 -0
data/vendor/wreq/tests/cookie.rs +306 -0
data/vendor/wreq/tests/deflate.rs +347 -0
data/vendor/wreq/tests/emulation.rs +260 -0
data/vendor/wreq/tests/gzip.rs +347 -0
data/vendor/wreq/tests/layers.rs +261 -0
data/vendor/wreq/tests/multipart.rs +165 -0
data/vendor/wreq/tests/proxy.rs +438 -0
data/vendor/wreq/tests/redirect.rs +629 -0
data/vendor/wreq/tests/retry.rs +135 -0
data/vendor/wreq/tests/support/delay_server.rs +117 -0
data/vendor/wreq/tests/support/error.rs +16 -0
data/vendor/wreq/tests/support/layer.rs +183 -0
data/vendor/wreq/tests/support/mod.rs +9 -0
data/vendor/wreq/tests/support/server.rs +232 -0
data/vendor/wreq/tests/timeouts.rs +281 -0
data/vendor/wreq/tests/unix_socket.rs +135 -0
data/vendor/wreq/tests/upgrade.rs +98 -0
data/vendor/wreq/tests/zstd.rs +559 -0
metadata +225 -0

data/vendor/wreq/src/tls/conn.rs ADDED Viewed

@@ -0,0 +1,681 @@
+//! SSL support via BoringSSL.
+#[macro_use]
+mod macros;
+mod cache;
+mod cert_compression;
+mod ext;
+mod service;
+use std::{
+    borrow::Cow,
+    fmt::{self, Debug},
+    io,
+    pin::Pin,
+    sync::{Arc, LazyLock},
+    task::{Context, Poll},
+};
+use boring2::{
+    error::ErrorStack,
+    ex_data::Index,
+    ssl::{Ssl, SslConnector, SslMethod, SslOptions, SslSessionCacheMode},
+};
+use cache::{SessionCache, SessionKey};
+use http::Uri;
+use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
+use tokio_boring2::SslStream;
+use tower::Service;
+use crate::{
+    Error,
+    client::{ConnectIdentity, ConnectRequest, Connected, Connection},
+    error::BoxError,
+    sync::Mutex,
+    tls::{
+        AlpnProtocol, AlpsProtocol, CertStore, Identity, KeyLog, TlsOptions, TlsVersion,
+        conn::ext::SslConnectorBuilderExt,
+    },
+};
+fn key_index() -> Result<Index<Ssl, SessionKey<ConnectIdentity>>, ErrorStack> {
+    static IDX: LazyLock<Result<Index<Ssl, SessionKey<ConnectIdentity>>, ErrorStack>> =
+        LazyLock::new(Ssl::new_ex_index);
+    IDX.clone()
+}
+/// Builds for [`HandshakeConfig`].
+pub struct HandshakeConfigBuilder {
+    settings: HandshakeConfig,
+}
+/// Settings for [`TlsConnector`]
+#[derive(Clone)]
+pub struct HandshakeConfig {
+    no_ticket: bool,
+    enable_ech_grease: bool,
+    verify_hostname: bool,
+    tls_sni: bool,
+    alpn_protocols: Option<Cow<'static, [AlpnProtocol]>>,
+    alps_protocols: Option<Cow<'static, [AlpsProtocol]>>,
+    alps_use_new_codepoint: bool,
+    random_aes_hw_override: bool,
+}
+impl HandshakeConfigBuilder {
+    /// Skips the session ticket.
+    pub fn no_ticket(mut self, skip: bool) -> Self {
+        self.settings.no_ticket = skip;
+        self
+    }
+    /// Enables or disables ECH grease.
+    pub fn enable_ech_grease(mut self, enable: bool) -> Self {
+        self.settings.enable_ech_grease = enable;
+        self
+    }
+    /// Sets hostname verification.
+    pub fn verify_hostname(mut self, verify: bool) -> Self {
+        self.settings.verify_hostname = verify;
+        self
+    }
+    /// Sets TLS SNI.
+    pub fn tls_sni(mut self, sni: bool) -> Self {
+        self.settings.tls_sni = sni;
+        self
+    }
+    /// Sets ALPN protocols.
+    pub fn alpn_protocols<P>(mut self, alpn_protocols: P) -> Self
+    where
+        P: Into<Option<Cow<'static, [AlpnProtocol]>>>,
+    {
+        self.settings.alpn_protocols = alpn_protocols.into();
+        self
+    }
+    /// Sets ALPS protocol.
+    pub fn alps_protocols<P>(mut self, alps_protocols: P) -> Self
+    where
+        P: Into<Option<Cow<'static, [AlpsProtocol]>>>,
+    {
+        self.settings.alps_protocols = alps_protocols.into();
+        self
+    }
+    /// Sets ALPS new codepoint usage.
+    pub fn alps_use_new_codepoint(mut self, use_new: bool) -> Self {
+        self.settings.alps_use_new_codepoint = use_new;
+        self
+    }
+    /// Sets random AES hardware override.
+    pub fn random_aes_hw_override(mut self, override_: bool) -> Self {
+        self.settings.random_aes_hw_override = override_;
+        self
+    }
+    /// Builds the `HandshakeConfig`.
+    pub fn build(self) -> HandshakeConfig {
+        self.settings
+    }
+}
+impl HandshakeConfig {
+    /// Creates a new `HandshakeConfigBuilder`.
+    pub fn builder() -> HandshakeConfigBuilder {
+        HandshakeConfigBuilder {
+            settings: HandshakeConfig::default(),
+        }
+    }
+}
+impl Default for HandshakeConfig {
+    fn default() -> Self {
+        Self {
+            no_ticket: false,
+            enable_ech_grease: false,
+            verify_hostname: true,
+            tls_sni: true,
+            alpn_protocols: None,
+            alps_protocols: None,
+            alps_use_new_codepoint: false,
+            random_aes_hw_override: false,
+        }
+    }
+}
+/// A Connector using BoringSSL to support `http` and `https` schemes.
+#[derive(Clone)]
+pub struct HttpsConnector<T> {
+    http: T,
+    inner: Inner,
+}
+#[derive(Clone)]
+struct Inner {
+    ssl: SslConnector,
+    cache: Option<Arc<Mutex<SessionCache<ConnectIdentity>>>>,
+    config: HandshakeConfig,
+}
+/// A builder for creating a `TlsConnector`.
+#[derive(Clone)]
+pub struct TlsConnectorBuilder {
+    session_cache: Arc<Mutex<SessionCache<ConnectIdentity>>>,
+    alpn_protocol: Option<AlpnProtocol>,
+    max_version: Option<TlsVersion>,
+    min_version: Option<TlsVersion>,
+    tls_sni: bool,
+    verify_hostname: bool,
+    identity: Option<Identity>,
+    cert_store: Option<CertStore>,
+    cert_verification: bool,
+    keylog: Option<KeyLog>,
+}
+/// A layer which wraps services in an `SslConnector`.
+#[derive(Clone)]
+pub struct TlsConnector {
+    inner: Inner,
+}
+// ===== impl HttpsConnector =====
+impl<S, T> HttpsConnector<S>
+where
+    S: Service<Uri, Response = T> + Send,
+    S::Error: Into<BoxError>,
+    S::Future: Unpin + Send + 'static,
+    T: AsyncRead + AsyncWrite + Connection + Unpin + Debug + Sync + Send + 'static,
+{
+    /// Creates a new [`HttpsConnector`] with a given [`TlsConnector`].
+    #[inline]
+    pub fn with_connector(http: S, connector: TlsConnector) -> HttpsConnector<S> {
+        HttpsConnector {
+            http,
+            inner: connector.inner,
+        }
+    }
+    /// Disables ALPN negotiation.
+    #[inline]
+    pub fn no_alpn(&mut self) -> &mut Self {
+        self.inner.config.alpn_protocols = None;
+        self
+    }
+}
+// ===== impl Inner =====
+impl Inner {
+    fn setup_ssl(&self, uri: Uri) -> Result<Ssl, BoxError> {
+        let cfg = self.ssl.configure()?;
+        let host = uri.host().ok_or("URI missing host")?;
+        let host = Self::normalize_host(host);
+        let ssl = cfg.into_ssl(host)?;
+        Ok(ssl)
+    }
+    fn setup_ssl2(&self, req: ConnectRequest) -> Result<Ssl, BoxError> {
+        let mut cfg = self.ssl.configure()?;
+        // Use server name indication
+        cfg.set_use_server_name_indication(self.config.tls_sni);
+        // Verify hostname
+        cfg.set_verify_hostname(self.config.verify_hostname);
+        // Set ECH grease
+        cfg.set_enable_ech_grease(self.config.enable_ech_grease);
+        // Set random AES hardware override
+        if self.config.random_aes_hw_override {
+            let random = (crate::util::fast_random() & 1) == 0;
+            cfg.set_aes_hw_override(random);
+        }
+        // Set ALPS protos
+        if let Some(ref alps_values) = self.config.alps_protocols {
+            for alps in alps_values.iter() {
+                cfg.add_application_settings(alps.0)?;
+            }
+            // By default, the old endpoint is used.
+            if !alps_values.is_empty() && self.config.alps_use_new_codepoint {
+                cfg.set_alps_use_new_codepoint(true);
+            }
+        }
+        // Set ALPN protocols
+        if let Some(alpn) = req.extra().alpn_protocol() {
+            // If ALPN is set in the request, it takes precedence over the connector configuration.
+            cfg.set_alpn_protos(&alpn.encode())?;
+        } else {
+            // Default use the connector configuration.
+            if let Some(ref alpn_values) = self.config.alpn_protocols {
+                let encoded = AlpnProtocol::encode_sequence(alpn_values.as_ref());
+                cfg.set_alpn_protos(&encoded)?;
+            }
+        }
+        let uri = req.uri().clone();
+        let host = uri.host().ok_or("URI missing host")?;
+        let host = Self::normalize_host(host);
+        if let Some(ref cache) = self.cache {
+            let key = SessionKey(req.identify());
+            // If the session cache is enabled, we try to retrieve the session
+            // associated with the key. If it exists, we set it in the SSL configuration.
+            if let Some(session) = cache.lock().get(&key) {
+                #[allow(unsafe_code)]
+                unsafe { cfg.set_session(&session) }?;
+                if self.config.no_ticket {
+                    cfg.set_options(SslOptions::NO_TICKET)?;
+                }
+            }
+            let idx = key_index()?;
+            cfg.set_ex_data(idx, key);
+        }
+        let ssl = cfg.into_ssl(host)?;
+        Ok(ssl)
+    }
+    /// If `host` is an IPv6 address, we must strip away the square brackets that surround
+    /// it (otherwise, boring will fail to parse the host as an IP address, eventually
+    /// causing the handshake to fail due a hostname verification error).
+    fn normalize_host(host: &str) -> &str {
+        if host.is_empty() {
+            return host;
+        }
+        let last = host.len() - 1;
+        let mut chars = host.chars();
+        if let (Some('['), Some(']')) = (chars.next(), chars.last()) {
+            if host[1..last].parse::<std::net::Ipv6Addr>().is_ok() {
+                return &host[1..last];
+            }
+        }
+        host
+    }
+}
+// ====== impl TlsConnectorBuilder =====
+impl TlsConnectorBuilder {
+    /// Sets the alpn protocol to be used.
+    #[inline(always)]
+    pub fn alpn_protocol(mut self, protocol: Option<AlpnProtocol>) -> Self {
+        self.alpn_protocol = protocol;
+        self
+    }
+    /// Sets the TLS keylog policy.
+    #[inline(always)]
+    pub fn keylog(mut self, keylog: Option<KeyLog>) -> Self {
+        self.keylog = keylog;
+        self
+    }
+    /// Sets the identity to be used for client certificate authentication.
+    #[inline(always)]
+    pub fn identity(mut self, identity: Option<Identity>) -> Self {
+        self.identity = identity;
+        self
+    }
+    /// Sets the certificate store used for TLS verification.
+    #[inline(always)]
+    pub fn cert_store<T>(mut self, cert_store: T) -> Self
+    where
+        T: Into<Option<CertStore>>,
+    {
+        self.cert_store = cert_store.into();
+        self
+    }
+    /// Sets the certificate verification flag.
+    #[inline(always)]
+    pub fn cert_verification(mut self, enabled: bool) -> Self {
+        self.cert_verification = enabled;
+        self
+    }
+    /// Sets the minimum TLS version to use.
+    #[inline(always)]
+    pub fn min_version<T>(mut self, version: T) -> Self
+    where
+        T: Into<Option<TlsVersion>>,
+    {
+        self.min_version = version.into();
+        self
+    }
+    /// Sets the maximum TLS version to use.
+    #[inline(always)]
+    pub fn max_version<T>(mut self, version: T) -> Self
+    where
+        T: Into<Option<TlsVersion>>,
+    {
+        self.max_version = version.into();
+        self
+    }
+    /// Sets the Server Name Indication (SNI) flag.
+    #[inline(always)]
+    pub fn tls_sni(mut self, enabled: bool) -> Self {
+        self.tls_sni = enabled;
+        self
+    }
+    /// Sets the hostname verification flag.
+    #[inline(always)]
+    pub fn verify_hostname(mut self, enabled: bool) -> Self {
+        self.verify_hostname = enabled;
+        self
+    }
+    /// Build the `TlsConnector` with the provided configuration.
+    pub fn build(&self, opts: &TlsOptions) -> crate::Result<TlsConnector> {
+        // Replace the default configuration with the provided one
+        let max_tls_version = opts.max_tls_version.or(self.max_version);
+        let min_tls_version = opts.min_tls_version.or(self.min_version);
+        let alpn_protocols = self
+            .alpn_protocol
+            .map(|proto| Cow::Owned(vec![proto]))
+            .or_else(|| opts.alpn_protocols.clone());
+        // Create the SslConnector with the provided options
+        let mut connector = SslConnector::no_default_verify_builder(SslMethod::tls_client())
+            .map_err(Error::tls)?
+            .set_cert_store(self.cert_store.as_ref())?
+            .set_cert_verification(self.cert_verification)?
+            .add_certificate_compression_algorithms(
+                opts.certificate_compression_algorithms.as_deref(),
+            )?;
+        // Set Identity
+        if let Some(ref identity) = self.identity {
+            identity.add_to_tls(&mut connector)?;
+        }
+        // Set minimum TLS version
+        set_option_inner_try!(min_tls_version, connector, set_min_proto_version);
+        // Set maximum TLS version
+        set_option_inner_try!(max_tls_version, connector, set_max_proto_version);
+        // Set OCSP stapling
+        set_bool!(opts, enable_ocsp_stapling, connector, enable_ocsp_stapling);
+        // Set Signed Certificate Timestamps (SCT)
+        set_bool!(
+            opts,
+            enable_signed_cert_timestamps,
+            connector,
+            enable_signed_cert_timestamps
+        );
+        // Set TLS Session ticket options
+        set_bool!(
+            opts,
+            !session_ticket,
+            connector,
+            set_options,
+            SslOptions::NO_TICKET
+        );
+        // Set TLS PSK DHE key exchange options
+        set_bool!(
+            opts,
+            !psk_dhe_ke,
+            connector,
+            set_options,
+            SslOptions::NO_PSK_DHE_KE
+        );
+        // Set TLS No Renegotiation options
+        set_bool!(
+            opts,
+            !renegotiation,
+            connector,
+            set_options,
+            SslOptions::NO_RENEGOTIATION
+        );
+        // Set TLS grease options
+        set_option!(opts, grease_enabled, connector, set_grease_enabled);
+        // Set TLS permute extensions options
+        set_option!(opts, permute_extensions, connector, set_permute_extensions);
+        // Set TLS curves list
+        set_option_ref_try!(opts, curves_list, connector, set_curves_list);
+        // Set TLS signature algorithms list
+        set_option_ref_try!(opts, sigalgs_list, connector, set_sigalgs_list);
+        // Set TLS prreserve TLS 1.3 cipher list order
+        set_option!(
+            opts,
+            preserve_tls13_cipher_list,
+            connector,
+            set_preserve_tls13_cipher_list
+        );
+        // Set TLS cipher list
+        set_option_ref_try!(opts, cipher_list, connector, set_cipher_list);
+        // Set TLS delegated credentials
+        set_option_ref_try!(
+            opts,
+            delegated_credentials,
+            connector,
+            set_delegated_credentials
+        );
+        // Set TLS record size limit
+        set_option!(opts, record_size_limit, connector, set_record_size_limit);
+        // Set TLS key shares limit
+        set_option!(opts, key_shares_limit, connector, set_key_shares_limit);
+        // Set TLS aes hardware override
+        set_option!(opts, aes_hw_override, connector, set_aes_hw_override);
+        // Set TLS extension permutation
+        if let Some(ref extension_permutation) = opts.extension_permutation {
+            connector
+                .set_extension_permutation(extension_permutation)
+                .map_err(Error::tls)?;
+        }
+        // Set TLS keylog handler.
+        if let Some(ref policy) = self.keylog {
+            let handle = policy.clone().handle().map_err(Error::tls)?;
+            connector.set_keylog_callback(move |_, line| {
+                handle.write(line);
+            });
+        }
+        // Create the handshake config with the default session cache capacity.
+        let config = HandshakeConfig::builder()
+            .no_ticket(opts.psk_skip_session_ticket)
+            .alpn_protocols(alpn_protocols)
+            .alps_protocols(opts.alps_protocols.clone())
+            .alps_use_new_codepoint(opts.alps_use_new_codepoint)
+            .enable_ech_grease(opts.enable_ech_grease)
+            .tls_sni(self.tls_sni)
+            .verify_hostname(self.verify_hostname)
+            .random_aes_hw_override(opts.random_aes_hw_override)
+            .build();
+        // If the session cache is disabled, we don't need to set up any callbacks.
+        let cache = opts.pre_shared_key.then(|| {
+            let cache = self.session_cache.clone();
+            connector.set_session_cache_mode(SslSessionCacheMode::CLIENT);
+            connector.set_new_session_callback({
+                let cache = cache.clone();
+                move |ssl, session| {
+                    if let Ok(Some(key)) = key_index().map(|idx| ssl.ex_data(idx)) {
+                        cache.lock().insert(key.clone(), session);
+                    }
+                }
+            });
+            cache
+        });
+        Ok(TlsConnector {
+            inner: Inner {
+                ssl: connector.build(),
+                cache,
+                config,
+            },
+        })
+    }
+}
+// ===== impl TlsConnector =====
+impl TlsConnector {
+    /// Creates a new `TlsConnectorBuilder` with the given configuration.
+    pub fn builder() -> TlsConnectorBuilder {
+        const DEFAULT_SESSION_CACHE_CAPACITY: usize = 8;
+        TlsConnectorBuilder {
+            session_cache: Arc::new(Mutex::new(SessionCache::with_capacity(
+                DEFAULT_SESSION_CACHE_CAPACITY,
+            ))),
+            alpn_protocol: None,
+            min_version: None,
+            max_version: None,
+            identity: None,
+            cert_store: None,
+            cert_verification: true,
+            tls_sni: true,
+            verify_hostname: true,
+            keylog: None,
+        }
+    }
+}
+/// A stream which may be wrapped with TLS.
+pub enum MaybeHttpsStream<T> {
+    /// A raw HTTP stream.
+    Http(T),
+    /// An SSL-wrapped HTTP stream.
+    Https(SslStream<T>),
+}
+/// A connection that has been established with a TLS handshake.
+pub struct EstablishedConn<IO> {
+    io: IO,
+    req: ConnectRequest,
+}
+// ===== impl MaybeHttpsStream =====
+impl<T> MaybeHttpsStream<T> {
+    /// Returns a reference to the underlying stream.
+    #[inline]
+    pub fn get_ref(&self) -> &T {
+        match self {
+            MaybeHttpsStream::Http(s) => s,
+            MaybeHttpsStream::Https(s) => s.get_ref(),
+        }
+    }
+}
+impl<T> fmt::Debug for MaybeHttpsStream<T> {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        match *self {
+            MaybeHttpsStream::Http(..) => f.pad("Http(..)"),
+            MaybeHttpsStream::Https(..) => f.pad("Https(..)"),
+        }
+    }
+}
+impl<T> Connection for MaybeHttpsStream<T>
+where
+    T: Connection,
+{
+    fn connected(&self) -> Connected {
+        match self {
+            MaybeHttpsStream::Http(s) => s.connected(),
+            MaybeHttpsStream::Https(s) => {
+                let mut connected = s.get_ref().connected();
+                if s.ssl().selected_alpn_protocol() == Some(b"h2") {
+                    connected = connected.negotiated_h2();
+                }
+                connected
+            }
+        }
+    }
+}
+impl<T> AsyncRead for MaybeHttpsStream<T>
+where
+    T: AsyncRead + AsyncWrite + Unpin,
+{
+    fn poll_read(
+        mut self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &mut ReadBuf<'_>,
+    ) -> Poll<io::Result<()>> {
+        match self.as_mut().get_mut() {
+            MaybeHttpsStream::Http(inner) => Pin::new(inner).poll_read(cx, buf),
+            MaybeHttpsStream::Https(inner) => Pin::new(inner).poll_read(cx, buf),
+        }
+    }
+}
+impl<T> AsyncWrite for MaybeHttpsStream<T>
+where
+    T: AsyncRead + AsyncWrite + Unpin,
+{
+    fn poll_write(
+        mut self: Pin<&mut Self>,
+        ctx: &mut Context<'_>,
+        buf: &[u8],
+    ) -> Poll<io::Result<usize>> {
+        match self.as_mut().get_mut() {
+            MaybeHttpsStream::Http(inner) => Pin::new(inner).poll_write(ctx, buf),
+            MaybeHttpsStream::Https(inner) => Pin::new(inner).poll_write(ctx, buf),
+        }
+    }
+    fn poll_flush(mut self: Pin<&mut Self>, ctx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        match self.as_mut().get_mut() {
+            MaybeHttpsStream::Http(inner) => Pin::new(inner).poll_flush(ctx),
+            MaybeHttpsStream::Https(inner) => Pin::new(inner).poll_flush(ctx),
+        }
+    }
+    fn poll_shutdown(mut self: Pin<&mut Self>, ctx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        match self.as_mut().get_mut() {
+            MaybeHttpsStream::Http(inner) => Pin::new(inner).poll_shutdown(ctx),
+            MaybeHttpsStream::Https(inner) => Pin::new(inner).poll_shutdown(ctx),
+        }
+    }
+}
+// ===== impl EstablishedConn =====
+impl<IO> EstablishedConn<IO> {
+    /// Creates a new [`EstablishedConn`].
+    #[inline]
+    pub fn new(io: IO, req: ConnectRequest) -> EstablishedConn<IO> {
+        EstablishedConn { io, req }
+    }
+}