cloudflare/pingora

TLS: structured certificate selection result for async certificate callbacks

Open

#838 opened on Mar 11, 2026

View on GitHub
 (0 comments) (0 reactions) (0 assignees)Rust (26,634 stars) (1,642 forks)batch import
enhancementhelp wanted

Description

Currently async TLS certificate callbacks rely entirely on mutating SslRef. When certificate selection fails or is rejected, the resulting TLS accept error can be difficult to diagnose because the callback cannot explicitly communicate its outcome.

This is a small proposal to improve diagnostics for async certificate selection.

This proposal introduces a structured result for certificate selection:

enum TlsCertificateSelection {
    Selected,
    Rejected { reason: String },
    NoSelection,
}

TlsAccept would gain an optional method:

async fn certificate_callback_result(
    &self,
    ssl: &mut TlsRef,
) -> TlsCertificateSelection

New implementations could return explicit outcomes, while existing certificate_callback() implementations would remain supported.

Legacy callbacks mutate SslRef directly, so the TLS server handshake layer would infer success when certificate material was installed even if the callback returned NoSelection.

This would allow TLS accept to produce clearer diagnostics for cases such as:

  • explicit callback rejection
  • callback returning without selecting a certificate
  • callback reporting success without installing certificate material

The listener API remains backend-agnostic; certificate inspection and legacy inference stay in the TLS server handshake implementation.

Scope

This change currently applies only to the OpenSSL/BoringSSL TLS server implementation (openssl_derived). Other TLS backends (rustls, s2n, noop) are unaffected because async certificate selection currently operates on SslRef in the OpenSSL path.

If this direction looks reasonable, I can open a PR with a working implementation.

Contributor guide

Tech stack
rust
Domain
security
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Rust programmingTLS basicspingora library internals
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
Examine the openssl derived TLS server implementation, focusing on the current async certificate callback and SslRef mutation. Identify where to add the TlsCertificateSelection enum and the certificate callback result method in TlsAccept. Implement legacy inference logic and ensure backward compatibility. Consider writing unit tests for explicit rejection and no selection scenarios.