What is the problem your feature solves, or the need it fulfills?
Pingora’s rustls backend does not currently expose any way to configure listener-side mTLS (client certificate authentication).
With rustls 0.23, client authentication must be configured on rustls::ServerConfig via a ClientCertVerifier. While applications can construct a verifier (e.g. WebPkiClientVerifier), TlsSettings provides no API to attach it, so rustls listeners cannot actually enforce mTLS. This is a parity gap with the OpenSSL backend.
Describe the solution you'd like
Expose an API on the rustls listener configuration path (e.g. TlsSettings) to configure server-side client authentication. This could take the form of a setter for ClientCertVerifier, a builder-style client-auth configuration, or an equivalent high-level abstraction. No default behavior needs to change; this would only expose a supported wiring point.
Describe alternatives you've considered
Using the OpenSSL backend, which already supports listener-side mTLS.
Additional context
Happy to submit a PR once the preferred API shape is confirmed.
What is the problem your feature solves, or the need it fulfills?
Pingora’s rustls backend does not currently expose any way to configure listener-side mTLS (client certificate authentication).
With rustls 0.23, client authentication must be configured on
rustls::ServerConfigvia aClientCertVerifier. While applications can construct a verifier (e.g.WebPkiClientVerifier),TlsSettingsprovides no API to attach it, so rustls listeners cannot actually enforce mTLS. This is a parity gap with the OpenSSL backend.Describe the solution you'd like
Expose an API on the rustls listener configuration path (e.g.
TlsSettings) to configure server-side client authentication. This could take the form of a setter forClientCertVerifier, a builder-style client-auth configuration, or an equivalent high-level abstraction. No default behavior needs to change; this would only expose a supported wiring point.Describe alternatives you've considered
Using the OpenSSL backend, which already supports listener-side mTLS.
Additional context
Happy to submit a PR once the preferred API shape is confirmed.