Add custom verification handler to NIOSSLServerHandler

Sources/HummingbirdHTTP2/HTTP2UpgradeChannel.swift

@@ -32,7 +32,7 @@
         public let channel: Channel
     }
 
-    private let sslContext: NIOSSLContext
+    private let tlsChannelConfiguration: TLSChannelInternalConfiguration
     private let http1: HTTP1Channel
     private let http2: HTTP2Channel
     public let configuration: Configuration
@@ -54,7 +54,7 @@
     ) throws {
         var tlsConfiguration = tlsConfiguration
         tlsConfiguration.applicationProtocols = NIOHTTP2SupportedALPNProtocols
-        self.sslContext = try NIOSSLContext(configuration: tlsConfiguration)
+        self.tlsChannelConfiguration = try .init(configuration: .init(tlsConfiguration: tlsConfiguration))
         self.configuration = .init()
         self.http1 = HTTP1Channel(
             responder: responder,
@@ -78,7 +78,25 @@
     ) throws {
         var tlsConfiguration = tlsConfiguration
         tlsConfiguration.applicationProtocols = NIOHTTP2SupportedALPNProtocols
-        self.sslContext = try NIOSSLContext(configuration: tlsConfiguration)
+        self.tlsChannelConfiguration = try .init(configuration: .init(tlsConfiguration: tlsConfiguration))
+        self.configuration = configuration
+        self.http1 = HTTP1Channel(responder: responder, configuration: configuration.streamConfiguration)
+        self.http2 = HTTP2Channel(responder: responder, configuration: configuration)
+    }
+
+    ///  Initialize HTTP2UpgradeChannel
+    /// - Parameters:
+    ///   - tlsConfiguration: TLS configuration
+    ///   - configuration: HTTP2 channel configuration
+    ///   - responder: Function returning a HTTP response for a HTTP request
+    public init(
+        tlsChannelConfiguration: TLSChannelConfiguration,
+        configuration: Configuration = .init(),
+        responder: @escaping HTTPChannelHandler.Responder
+    ) throws {
+        var tlsChannelConfiguration = tlsChannelConfiguration
+        tlsChannelConfiguration.tlsConfiguration.applicationProtocols = NIOHTTP2SupportedALPNProtocols
+        self.tlsChannelConfiguration = try .init(configuration: tlsChannelConfiguration)
         self.configuration = configuration
         self.http1 = HTTP1Channel(responder: responder, configuration: configuration.streamConfiguration)
         self.http2 = HTTP2Channel(responder: responder, configuration: configuration)
@@ -91,7 +109,13 @@
     /// - Returns: Object to process input/output on child channel
     public func setup(channel: Channel, logger: Logger) -> EventLoopFuture<Value> {
         do {
-            try channel.pipeline.syncOperations.addHandler(NIOSSLServerHandler(context: self.sslContext))
+            try channel.pipeline.syncOperations.addHandler(
+                NIOSSLServerHandler(
+                    context: self.tlsChannelConfiguration.sslContext,
+                    customVerificationCallback: self.tlsChannelConfiguration.customVerificationCallback,
+                    configuration: .init()
+                )
+            )
         } catch {
             return channel.eventLoop.makeFailedFuture(error)
         }

Sources/HummingbirdHTTP2/TLSChannelConfiguration.swift

@@ -0,0 +1,57 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the Hummingbird server framework project
+//
+// Copyright (c) 2025 the Hummingbird authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See hummingbird/CONTRIBUTORS.txt for the list of Hummingbird authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import NIOCore
+import NIOSSL
+
+/// TLSChannel configuration
+public struct TLSChannelConfiguration: Sendable {
+    public typealias CustomVerificationCallback = @Sendable ([NIOSSLCertificate], EventLoopPromise<NIOSSLVerificationResult>) -> Void
+    // Manages configuration of TLS
+    public var tlsConfiguration: TLSConfiguration
+    /// A custom verification callback that allows completely overriding the certificate verification logic of BoringSSL.
+    public var customVerificationCallback: CustomVerificationCallback?
+
+    ///  Initialize TLSChannel.Configuration
+    ///
+    /// For details on custom callback see swift-nio-ssl documentation
+    /// https://swiftpackageindex.com/apple/swift-nio-ssl/main/documentation/niossl/niosslcustomverificationcallback
+    /// - Parameters:
+    ///   - tlsConfiguration: TLS configuration
+    ///   - customVerificationCallback: A custom verification callback that allows completely overriding the
+    ///         certificate verification logic of BoringSSL.
+    public init(
+        tlsConfiguration: TLSConfiguration,
+        customVerificationCallback: CustomVerificationCallback? = nil
+    ) {
+        self.tlsConfiguration = tlsConfiguration
+        self.customVerificationCallback = customVerificationCallback
+    }
+}
+
+/// TLSChannel configuration
+@usableFromInline
+package struct TLSChannelInternalConfiguration: Sendable {
+    // Manages configuration of TLS
+    @usableFromInline
+    let sslContext: NIOSSLContext
+    /// A custom verification callback that allows completely overriding the certificate verification logic of BoringSSL.
+    @usableFromInline
+    let customVerificationCallback: TLSChannelConfiguration.CustomVerificationCallback?
+
+    init(configuration: TLSChannelConfiguration) throws {
+        self.sslContext = try NIOSSLContext(configuration: configuration.tlsConfiguration)
+        self.customVerificationCallback = configuration.customVerificationCallback
+    }
+}

Sources/HummingbirdTLS/TLSChannel.swift

@@ -26,7 +26,16 @@
     ///   - baseChannel: Base child channel wrap
     ///   - tlsConfiguration: TLS configuration
     public init(_ baseChannel: BaseChannel, tlsConfiguration: TLSConfiguration) throws {
-        self.sslContext = try NIOSSLContext(configuration: tlsConfiguration)
+        self.configuration = try .init(configuration: .init(tlsConfiguration: tlsConfiguration))
+        self.baseChannel = baseChannel
+    }
+
+    ///  Initialize TLSChannel
+    /// - Parameters:
+    ///   - baseChannel: Base child channel wrap
+    ///   - tlsConfiguration: TLS configuration
+    public init(_ baseChannel: BaseChannel, configuration: TLSChannelConfiguration) throws {
+        self.configuration = try .init(configuration: configuration)
         self.baseChannel = baseChannel
     }
 
@@ -38,7 +47,13 @@
     @inlinable
     public func setup(channel: Channel, logger: Logger) -> EventLoopFuture<Value> {
         channel.eventLoop.makeCompletedFuture {
-            try channel.pipeline.syncOperations.addHandler(NIOSSLServerHandler(context: self.sslContext))
+            try channel.pipeline.syncOperations.addHandler(
+                NIOSSLServerHandler(
+                    context: self.configuration.sslContext,
+                    customVerificationCallback: self.configuration.customVerificationCallback,
+                    configuration: .init()
+                )
+            )
         }.flatMap {
             self.baseChannel.setup(channel: channel, logger: logger)
         }
@@ -54,7 +69,7 @@
     }
 
     @usableFromInline
-    let sslContext: NIOSSLContext
+    let configuration: TLSChannelInternalConfiguration
     @usableFromInline
     var baseChannel: BaseChannel
 }
@@ -71,3 +86,44 @@
         try TLSChannel(self, tlsConfiguration: tlsConfiguration)
     }
 }
+
+/// TLSChannel configuration
+public struct TLSChannelConfiguration: Sendable {
+    public typealias CustomVerificationCallback = @Sendable ([NIOSSLCertificate], EventLoopPromise<NIOSSLVerificationResult>) -> Void
+    // Manages configuration of TLS
+    public let tlsConfiguration: TLSConfiguration
+    /// A custom verification callback that allows completely overriding the certificate verification logic of BoringSSL.
+    public let customVerificationCallback: CustomVerificationCallback?
+
+    ///  Initialize TLSChannel.Configuration
+    ///
+    /// For details on custom callback see swift-nio-ssl documentation
+    /// https://swiftpackageindex.com/apple/swift-nio-ssl/main/documentation/niossl/niosslcustomverificationcallback
+    /// - Parameters:
+    ///   - tlsConfiguration: TLS configuration
+    ///   - customVerificationCallback: A custom verification callback that allows completely overriding the
+    ///         certificate verification logic of BoringSSL.
+    public init(
+        tlsConfiguration: TLSConfiguration,
+        customVerificationCallback: CustomVerificationCallback? = nil
+    ) {
+        self.tlsConfiguration = tlsConfiguration
+        self.customVerificationCallback = customVerificationCallback
+    }
+}
+
+/// TLSChannel configuration
+@usableFromInline
+package struct TLSChannelInternalConfiguration: Sendable {
+    // Manages configuration of TLS
+    @usableFromInline
+    let sslContext: NIOSSLContext
+    /// A custom verification callback that allows completely overriding the certificate verification logic of BoringSSL.
+    @usableFromInline
+    let customVerificationCallback: TLSChannelConfiguration.CustomVerificationCallback?
+
+    init(configuration: TLSChannelConfiguration) throws {
+        self.sslContext = try NIOSSLContext(configuration: configuration.tlsConfiguration)
+        self.customVerificationCallback = configuration.customVerificationCallback
+    }
+}