How to make a TLS connection between two peers using Rust tokio_native_tls

I am working in a file transfer system that has p2p connectivity library using Rust. It works using just tcp but now I want to improve it using TLS but I do not understand 2 things. First is how can 2 peers share the Certificate Authorities CA so they can verify that the connection is trustworthy.

Secondly, I am trying to use the tokio_native_tls which wraps the native_tls library and adds async. I am following the examples in the native_tls docs. However they use connector with a domain and as the domain they use Google.

This is the example they provide.

use native_tls::TlsConnector;
use std::io::{Read, Write};
use std::net::TcpStream;

let connector = TlsConnector::new().unwrap();

let stream = TcpStream::connect("google.com:443").unwrap();
let mut stream = connector.connect("google.com", stream).unwrap();

stream.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap();
let mut res = vec![];
stream.read_to_end(&mut res).unwrap();
println!("{}", String::from_utf8_lossy(&res));

In the peer to peer connection I describe there is only 2 peers trying to transfer some files. Since they don't have a domain only IP it would not work. I am pretty lost. How can I approach this project?

Solution

`native-tls`

The docs for the synchronous connect function say that:

The domain is ignored if both SNI and hostname verification are disabled.

Taking that into account, switching to the async API's, and generating a self-signed certificate, we arrive at the following working code:

[package]
name = "tls"
version = "0.1.0"
edition = "2021"

[dependencies]
rcgen = "0.13.1"
tokio = { version = "1.41.1", features = ["full"] }
tokio-native-tls = "0.3.1"

use tokio::io::{AsyncReadExt, AsyncWriteExt};
use tokio::net::{TcpListener, TcpStream};
use tokio_native_tls::native_tls::Identity;
use tokio_native_tls::{native_tls, TlsAcceptor, TlsConnector};

#[tokio::main]
async fn main() {
    let cert = rcgen::generate_simple_self_signed([]).unwrap();
    let listener = TcpListener::bind("127.0.0.1:8001").await.unwrap();

    let trusted = native_tls::Certificate::from_pem(cert.cert.pem().as_bytes()).unwrap();
    tokio::spawn(async move {
        let connector = TlsConnector::from(
            native_tls::TlsConnector::builder()
                .disable_built_in_roots(true)
                .add_root_certificate(trusted)
                .danger_accept_invalid_hostnames(true)
                .use_sni(false)
                .build()
                .unwrap(),
        );
        let tcp = TcpStream::connect("0.0.0.0:8001").await.unwrap();
        let mut tls = connector.connect("N/A", tcp).await.unwrap();
        tls.write_all(b"hello!").await.unwrap();
        tls.shutdown().await.unwrap();
    });

    let acceptor = TlsAcceptor::from(
        native_tls::TlsAcceptor::new(
            Identity::from_pkcs8(
                cert.cert.pem().as_bytes(),
                cert.key_pair.serialize_pem().as_bytes(),
            )
            .unwrap(),
        )
        .unwrap(),
    );

    let (tcp, _) = listener.accept().await.unwrap();
    let mut tls = acceptor.accept(tcp).await.unwrap();
    let mut buf = String::new();
    tls.read_to_string(&mut buf).await.unwrap();
    println!("read: {buf}");
}

`rustls`

Here is similar code using rustls. Differences include:

You can and should pass the server IP instead of "N/A" for server name.
The default certificate verifier requires the IP to be among the subject names.

[package]
name = "tls"
version = "0.1.0"
edition = "2021"

[dependencies]
rcgen = "0.13.1"
tokio = { version = "1.41.1", features = ["full"] }
tokio-rustls = "0.26.0"

use std::net::Ipv4Addr;
use std::sync::Arc;
use tokio::io::{AsyncReadExt, AsyncWriteExt};
use tokio::net::{TcpListener, TcpStream};
use tokio_rustls::rustls::pki_types::pem::PemObject;
use tokio_rustls::rustls::pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer, ServerName};
use tokio_rustls::rustls::{ClientConfig, RootCertStore};
use tokio_rustls::{rustls, TlsAcceptor, TlsConnector};

#[tokio::main]
async fn main() {
    let cert = rcgen::generate_simple_self_signed(["127.0.0.1".to_owned()]).unwrap();
    let listener = TcpListener::bind("127.0.0.1:8001").await.unwrap();

    let mut trusted = RootCertStore::empty();
    trusted.add(cert.cert.der().clone()).unwrap();
    tokio::spawn(async move {
        let connector: TlsConnector = TlsConnector::from(Arc::new(
            ClientConfig::builder()
                .with_root_certificates(trusted)
                .with_no_client_auth(),
        ));
        let tcp = TcpStream::connect("127.0.0.1:8001").await.unwrap();
        let mut tls = connector
            .connect(
                ServerName::IpAddress(Ipv4Addr::new(127, 0, 0, 1).into()),
                tcp,
            )
            .await
            .unwrap();
        tls.write_all(b"hello!").await.unwrap();
        tls.shutdown().await.unwrap();
    });

    let acceptor = TlsAcceptor::from(Arc::new(
        rustls::ServerConfig::builder()
            .with_no_client_auth()
            .with_single_cert(
                vec![cert.cert.der().clone()],
                PrivateKeyDer::Pkcs8(
                    PrivatePkcs8KeyDer::from_pem_slice(cert.key_pair.serialize_pem().as_bytes())
                        .unwrap(),
                ),
            )
            .unwrap(),
    ));

    let (tcp, _) = listener.accept().await.unwrap();
    let mut tls = acceptor.accept(tcp).await.unwrap();
    let mut buf = String::new();
    tls.read_to_string(&mut buf).await.unwrap();
    println!("read: {buf}");
}

If you wanted to use a CA-signed certificate, you would add the CA certificate as a trusted root instead.