plabayo · soundofspace · Dec 17, 2024 · Dec 17, 2024 · Dec 17, 2024 · Dec 17, 2024
diff --git a/Cargo.toml b/Cargo.toml
@@ -411,6 +411,10 @@ required-features = ["tcp"]
 name = "tcp_listener_layers"
 required-features = ["tcp"]
 
+[[example]]
+name = "tls_boring_dynamic_certs"
+required-features = ["boring", "http-full"]
+
 [[example]]
 name = "tls_boring_termination"
 required-features = ["boring", "haproxy", "http-full"]

diff --git a/examples/assets/example.com.crt b/examples/assets/example.com.crt
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIE3DCCAsSgAwIBAgIJAN4TBpLFs4VhMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
+BAMMC2V4YW1wbGUuY29tMB4XDTI0MTIwOTIwMDUxN1oXDTM0MTIwNzIwMDUxN1ow
+FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
+ggIKAoICAQC14A6yHqrF+5+VPljtBd9vgjTQxBCqQ7Af/7cNlFtZjOKmXz0bOCfZ
+RjaxNNjjveztFH+VhRpH/JyM7Qd7R0FX84IyH4Z9a58jgKW/l/YM1Q4Y50WGpM9S
+k5p9Q8xTWIoZPrjvh6zV4PKef87LxxqoO9QXv34d5g7dsQLbSwJ93SeggH0E5e1V
+vP1DW0kvu1BF6rsmF5eTyK/VNg/el9mGyMbcyhBKTpTyVT2FQYRFuZtHXHRnAocC
+dv887c/TsYVDffTwv7peVoOotO0twKn0SMdtybiNJyDEdcgw2bFbQu7oV/95cBur
+pxePzED31E64QI8emTvZ62L/c5QvP0OY3x2CSb5ctd6z7wWTJ8wkl7N8+y7Xgn1a
+AAfki4rWk5qfWAO3BNZo/TGyiWeoNttJ+NddfwI3+h6phK7X56vRhYSqwSnxWyQY
+lTJAnFQb7TMEP/k9ov2S9MzLTURLLeNiiXjvkOxi+12HzhlTNgk3X49y9f8PLxkN
+w37TghunAl4OvA+LdslSayFMmZbx9fm+6ZGkjcsDYnf1Mff+aoCkkUcAFg5DQFDk
+mvu08mJL2D+9I9OK/Yvn/qXWjhVdWLJ/k5hrQmLIs1KbQtlGvvYeC7kHY3yBK+3w
+t/Cnx9qwhOPJcufuEChiMcVcseGAZJhUT7gQM22v9jb9QZfhihGMpQIDAQABoy0w
+KzApBgNVHREEIjAgggtleGFtcGxlLmNvbYILZXhhbXBsZS5jb22HBAoAAAEwDQYJ
+KoZIhvcNAQELBQADggIBAJBG9KcH0FG7xn2u4SA4nlwaP/v2ZWZlOwjVjHEQJF7A
+GaEZFVofzLoRncVnQs14Xr3SGstIBG/P30LC4zHO4Lhz0M+g/lbXhrDjTJLNX7ZN
+v2ZJj+6XBysJK2IuZX14YCtxhwFCuPBK1cxPDkP4nZm4u5tozLHPtZEHc4kGVQfl
+urkTVmfhJMi5ndAOevXVgfAHRbHfh6x1kNZWDpybiPeeBvZOjRoxecsD7LA54kns
+SFCQe6zQRlfBUUD+RDI/ggDi3XnKdDHEkLZCH3/db4CcneyzzVkaNcvpOS6ZT6ak
+DLmR8qAglTrADdsnNVzyWzNbBhXQEFoygY3F2rVQndTLoEFGMx7U2d3Fz8sVN/F2
+SzBYxtrwgj5rQC8tOhHZPVgQLXu6NRRZHEQgypDtGP0H4SUNcGb1Lw27E43KSIT9
+CpY8Z3SG34G4bYGfpdMN3wtoXG7BtrdmInNWiT+ygh+iJCSaSsAWtaPRnx/9uGLw
+UNVjzVxJhxGKBbf1hJ5g1x3zMeL73wrsiY6RBa6tWx9SHbRoq8htbkQAnP0tMOav
+GiTApFquBYDe2gYbuq5jh4yTbNyuxR4WW6m6Bvj7YhUREXQnTDonUwHzw2P29T95
+z52aPb5PaZYHgg4S26zRV+/Dc8E3oLkjgCyaDuQO4uUpmtT8ssTolIFNr2QUzD12
+-----END CERTIFICATE-----
diff --git a/examples/assets/example.com.key b/examples/assets/example.com.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQC14A6yHqrF+5+V
+PljtBd9vgjTQxBCqQ7Af/7cNlFtZjOKmXz0bOCfZRjaxNNjjveztFH+VhRpH/JyM
+7Qd7R0FX84IyH4Z9a58jgKW/l/YM1Q4Y50WGpM9Sk5p9Q8xTWIoZPrjvh6zV4PKe
+f87LxxqoO9QXv34d5g7dsQLbSwJ93SeggH0E5e1VvP1DW0kvu1BF6rsmF5eTyK/V
+Ng/el9mGyMbcyhBKTpTyVT2FQYRFuZtHXHRnAocCdv887c/TsYVDffTwv7peVoOo
+tO0twKn0SMdtybiNJyDEdcgw2bFbQu7oV/95cBurpxePzED31E64QI8emTvZ62L/
+c5QvP0OY3x2CSb5ctd6z7wWTJ8wkl7N8+y7Xgn1aAAfki4rWk5qfWAO3BNZo/TGy
+iWeoNttJ+NddfwI3+h6phK7X56vRhYSqwSnxWyQYlTJAnFQb7TMEP/k9ov2S9MzL
+TURLLeNiiXjvkOxi+12HzhlTNgk3X49y9f8PLxkNw37TghunAl4OvA+LdslSayFM
+mZbx9fm+6ZGkjcsDYnf1Mff+aoCkkUcAFg5DQFDkmvu08mJL2D+9I9OK/Yvn/qXW
+jhVdWLJ/k5hrQmLIs1KbQtlGvvYeC7kHY3yBK+3wt/Cnx9qwhOPJcufuEChiMcVc
+seGAZJhUT7gQM22v9jb9QZfhihGMpQIDAQABAoICAAEwEWiAYsUgO46R9aq2mxrz
+Urz6StGR15id5ugjy+Tt0p0bih6fY0M7/idyHOh/2QhDVgH3+I/3yl3xPldDw917
+LaJ+KjaveT6WHH7/0w+KZKks+XtDoEb9x8iBpNf2gBBiJHsL+8j5yxvV4dfa2QW4
+Pk5ZZc10Lyyrd0VPXBjOVO/rZuWdSsuAjHbgJb42DvQl8ErzZH4GlX9i9v+RJk6H
+CSVv/GM/2CEtBVXVc7Ow3p68r9XsYk1V0ZzoQK81PZWPQQZBekobboivhc0CsRlz
+UDobUyU42DHwQvpusYXTDhReXsDARq38TV8XCmWT8V+qrESa45UswFzCuHkGhL58
+AzbO6SggLgIaneI/fy0E63jVZ7FuLfEFYTuLkkCbt4m5upzblhgUgny7rSIIX08Y
+mpCEDgSkyai88cYs3/KQQvrLzjVJSmQ4hu0OYJiMGMMv205H8oeQHV4WvEF38BvO
+dttULyvdxIsLCmJZSHFaNeC0/Cf7BZ/++aVFYB62Brp9TMNAouVvyPmQjKpTwa2b
+6ml4rzYyGPfRX8WMXZhKiONXLQUE6VTaq0QifhjLTlylRNemhvqc2CXDSA/leCT4
+RjkIEr3P/eGSuEayiqTP1/XL/f/O93EB5Pm4pxkAlcotnvLXgstwPLujcryGHLtw
+WEsB+e6NGoxFFrZ2OviRAoIBAQDnowpddKCiRl72jY6iso9vhoNv6QrojHWUDadn
+YPewiPGAwayogFddSeizSFBEWq4J0fm33Zoe7QNLyjYlU9EZ4eLGkKNke0YjS5/m
+Ty3/8PHAv1TSHLBNRInQMjRUK45x7PTRkTPz5LF5ddPb0gv4SRUb4L/fU/oqLcjn
+T9GO3U6oiTZLLSvAR0AiqQYYCVOXVYQVJyaRYMlQF/lP+eGpT2DJkUKWjRiNX/4H
+Exi9lU3YsvXnQJaFqhoyf6O5HYM+UemfJJA2N3KiCVE0M2Jx9MgoL+EgWopx3jay
+7ZnAQiuLONCqnimHENwlHxv+dZJ0Dq1wQqu1LHxFCGus7QP3AoIBAQDJASey4263
+Zx2RmP7ou/cxc7Oi4gKCZDYsbIbUIpXu8banNIfZX9aljCEQ0cK14wVBxB84d+/q
+kHAHij4Uz/a5qoW3AewrfNpE9Akz1bjggxlN4n/92gAs9P5vtKittZa9bjJZX/BD
+CkvQMjfGmhRIoe4VaksEpCsqR1L3Rcz9aIQ/CZdS/2WpaMr0Zjgs46PJ2TQm4rzu
+TQ3FaQnOemfpp4we0J/Oo6NhRkyYoPjYLg1ru4vk3vkOD7WFjwoNnRjK/fMbAUeZ
+/+erqzk9Zc+lRHZJxsNa+ksoLP1ESWhNukggbj1rvRfAIqHv0ygUCed+g34dhZ3z
+0qd7+QAQ69VDAoIBAGXc2O4IH6u87n3V+mepxlHxAVPxU464VexppLhdeA716d4J
+TXg8GC86FU7h+gpVJjvDTuGAXgpDiDOIFQ+NMGMFZsiTSochftJ+qy6Im132AxoU
+CaTsYMtZ3JDlwwVQsi9/WJngFMyoQTN8kVIVqJXi7Zl42GfJcjWiNLsj6q+8up56
+2Jlun9LKgnW7hqaDU3M1dAQpV1iPC3hhUo3NAWOHOLTrYDD8k1N4ZymNSE/2nGkz
+KdgsGwVkrGiQoNsDE3gQZYBKf/CXqZ2AI2mlPyGF1490nrevmTpB0iQVQIu/jY6H
+yZt+OhzfWTAp4hGgemr3GWZIq2Hc0jk5XsCI6jkCggEASqegLAPmuj2VMN+HRb+S
+Zw6XGJci4XUA3e0NArs5vr6N3XpYPncnDOOH4GxYCiAgcrW59sotFIzC3zoMJsS6
+2WipMziGk/xSQSv2QwdNHC309wV6DjmquQfhfHG3+JSqQP8tuh406WFomRIdvyi5
+AeUKvW92H2ouEgzdlrOZGEF6ZMNWLeBnzMz8HFve32VJDw4aHZs3GrcJt1l05/h0
+oca19zf7Ms96PgXTKxkWc4xfNbU5ly7th7hz7gAbdsTzUWmSomQOSPdP/2Wf49rt
+jW9pE6u8IQ03Xtue0X8GO2BFq63mKB7aNGVoid9+Ujr/fPCvpZ1b9hQ2Wog36xD8
+awKCAQBrdzL4qyCYAc7d17/MiD+QSAa3yv5qtbaWfX9dvnLLGZwQzTuZehzwlc5a
+FBELmqGSAFhFesETLMKJUn1xa771ToOhYOVny90CSMKoGOle+bBaF9DT9y0ef8Ng
+krLeq8Mby73BlCllRmGE4qWWIMTpqyTukSL/dUU2Rg5AFE5cl55M+ASB0AZJ/L3m
+yxayax1xtTTEArWHidBwu7+uzbvdDdBU9uK74Z0GdfXDqzCiVs2um/g0mMFiFcAb
+EpefH/iLVvoiOjf7x6JcR7X3T+SmKfm+2LY6SIPtMXpxGwJFsI96BSB1HqdCPuKC
+SQvP1onQOUBQmL9jamsFj6h/3TKn
+-----END PRIVATE KEY-----
diff --git a/examples/assets/second_example.com.crt b/examples/assets/second_example.com.crt
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE+DCCAuCgAwIBAgIJAI/8Ipq5D4qSMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
+BAMMEnNlY29uZC5leGFtcGxlLmNvbTAeFw0yNDEyMDkyMDA4MTFaFw0zNDEyMDcy
+MDA4MTFaMB0xGzAZBgNVBAMMEnNlY29uZC5leGFtcGxlLmNvbTCCAiIwDQYJKoZI
+hvcNAQEBBQADggIPADCCAgoCggIBAND3iExTF4OQSwNIwj154FM9QO486/RJG4oJ
+5ptSykilzMpko0sH4ElSi7YRVaBmOnt73Hv7dRU6wUUkC/o1PeZG0DZEbCZSdH0F
+UE2GPLCboPM7z1VYFLaXFsMzOP5m58sRGv7DT6Fwc/lrH5dW1bDSEj/MqruX9ghr
+0ZwjmHpd9fq+mzI6Uj/mmJzNp2jfvxjUlcj0cFmi54RnZ4sNySZsjnEaq9P/vNZI
+BcUiixB/LQ+3dJeWL+QeRgNGprmvHXhPaVY+vCfqaGJHbSamb4lJOxjmJMdtyZj3
+9boG8BQ3ZO/NL8YbH9PSVcdgYPFEC+3FpGHMPwNjyiHWuiNFd5Sc7RQMCW5wmhxt
+THT8pPLG4eAMIR6hNYQ4kVkIJQReU731DvIV/ZL1vHtMkLDQ2wz8e5cghyXPE279
+t90aFmBvgxYUkEBdZbdbh4AfXppPqo+z07Gn+f4Xwm36vZHOxfYRqYDuyFAMzEvU
+shR7l2k94am9oowmpkW5J9yMb3sPYyhmqrUcXIZBP3zLHalUXlBMlFoVqh+OC6Yf
+E2BgBJmtwx+CHCwXgQ635pBOJBkdl4Auxm056fPkRMcCmNvnX+5QHgxzAUYaNvg3
+6tLkuEegQpzYYx/tp8serktspZxoUz1wC7DhP9sVnkTz5Bf6wiLTF1Heefv99Qoc
+sk4c87BVAgMBAAGjOzA5MDcGA1UdEQQwMC6CEnNlY29uZC5leGFtcGxlLmNvbYIS
+c2Vjb25kLmV4YW1wbGUuY29thwQKAAABMA0GCSqGSIb3DQEBCwUAA4ICAQBfdZYx
+PsAzS6RQeimf3JS/A6cxV6d9oLOUYRWiGZsQmQXWG8cO23In4proJGrMDTH1wOR8
+WqYxZdSyVT1oJjHdQ/bIYzm/Qf3oLHfikjs0ERNN1c2Xcl1QNxa7fR+R0PEBEnQ3
+cwM+562bSVeGKGAl/Ffb/ZRbBo7tyTavujt0/WmCRY0PUUxKZ6Ydq0TYjayw/iL5
+eWgtOpGgNxb1P8vLmnXO1Ihq8rK2nwXjAfaotNU3clzcwOlmf82ek8ssirqYhaw0
+lkrCbiIspCKU8q8A4i+WDosase/B9SSF6fRFXJ3j6+opByARFekpBiorvovO/zW7
+pZsJ/3AISQtLdbTlXi+2+m2EzgEgje5JMZX7mnBPnpBiBZuYBUYy0As0ZgMXn8OC
+vQ5b6wc5yckzjIxfGpvNR6t40xQuT2zI5oPd7mgWHX0zbWAxEFklKQLiXDy96nBP
+DcLfh30ZxRRVhreMxuwylEsmoZqzyTFANsJ3e8QnEJovEBF0gSAlUPXSQXqjFhgV
+4upYLDIus6ll2gJJZ+yaIm8GrX2V+m9q9OkxwrNjDyFMHP1BVYmPvBKgcJ45WR3R
+6blrUW6IJinkzMjcRfFwh+yPTbTeuL6KRUvRRQ1DA6R83HNLOGOKFZkWnTpD7JqP
+z7jPWvEet9dRSBu/WlegMkCTg4q4hfVVl7ygDw==
+-----END CERTIFICATE-----
diff --git a/examples/assets/second_example.com.key b/examples/assets/second_example.com.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDQ94hMUxeDkEsD
+SMI9eeBTPUDuPOv0SRuKCeabUspIpczKZKNLB+BJUou2EVWgZjp7e9x7+3UVOsFF
+JAv6NT3mRtA2RGwmUnR9BVBNhjywm6DzO89VWBS2lxbDMzj+ZufLERr+w0+hcHP5
+ax+XVtWw0hI/zKq7l/YIa9GcI5h6XfX6vpsyOlI/5piczado378Y1JXI9HBZoueE
+Z2eLDckmbI5xGqvT/7zWSAXFIosQfy0Pt3SXli/kHkYDRqa5rx14T2lWPrwn6mhi
+R20mpm+JSTsY5iTHbcmY9/W6BvAUN2TvzS/GGx/T0lXHYGDxRAvtxaRhzD8DY8oh
+1rojRXeUnO0UDAlucJocbUx0/KTyxuHgDCEeoTWEOJFZCCUEXlO99Q7yFf2S9bx7
+TJCw0NsM/HuXIIclzxNu/bfdGhZgb4MWFJBAXWW3W4eAH16aT6qPs9Oxp/n+F8Jt
++r2RzsX2EamA7shQDMxL1LIUe5dpPeGpvaKMJqZFuSfcjG97D2MoZqq1HFyGQT98
+yx2pVF5QTJRaFaofjgumHxNgYASZrcMfghwsF4EOt+aQTiQZHZeALsZtOenz5ETH
+Apjb51/uUB4McwFGGjb4N+rS5LhHoEKc2GMf7afLHq5LbKWcaFM9cAuw4T/bFZ5E
+8+QX+sIi0xdR3nn7/fUKHLJOHPOwVQIDAQABAoICAH8QJNaUJ9Yd5R7oHQQYmajD
+tDmo3ai6034KKykDHHE0L+RZcVlsPpsXEFDzFWflAWaYmCbjbfwsr9yE4KuRuEPP
+h0eYL1LWDHMAyiV5nGmfGC0OjzHLzzx/fp3PBbbbh9JYYlvLEx6NLFfbJWh2qpVM
+B0C4CJDtA/N27AvPMSYnAC0pvWC7ScwFQYMHIeaJNr+4dCOvTqmSfshpv/Izvb4Z
+gDuSBi1wcbiyLqACMyEi05mc6c5KynAhYF0ZlsONkZPYZarFls+Gn1YzLFG2HlgS
+KVcoifCh91WGYOpu0YjZbgzKbWQ+lgnM+c+z8P6Da+V2qk+1TBOZmA0fbiuIT/76
+bN3JTx8/syrsFODvcJlm4HXzksPZmEKGpEvMuU1b4e18CRNCP1jHr6P6qXdYUsrg
+zoAoZaFoqPgB4nDkWbe1DbECcji9M+XawdQQ3TIZJVsF5nQ1MZimUySJpM/S6HzX
+/sOCI+a2aLLhoOGGDNHDIRL8GNze6MvKwtfeKStC8/+MrrcfX8GhSvWcZgOwSpyu
+N8p055JebdFQG2HH58xfFn/uzrVzBI2VS9QSOdJY55l2cvef6PMSePCqjXiPqh2X
+Cv1oobF0/Z7yruKAwLyJztV45V6QPX6IfIepRifElQ6oL25vo5Gvfb3fRSjSAXeh
++ta5Y1AXMQdFl5WrVMiBAoIBAQDoKd1Yh2KiO3u6yw1d+CpwJQYJP5OpK+FQk5wa
+/wSUx5bLF0289AYDqgnTjDQnSWgZps5j9+tdaaAfBVdv0C78adBG5skUuarO+lHU
+m0JiXC+Bp4hZekGOxzqsmT8F4PVOCGPzbaDJLJ7iJTss7NVfEGJ6p8NyaVrneHzU
+bDkzmOhp/PcIqkciDyhckKLX65DXp83G6guNp0bS9NJAHKx/RE4ocNQdBMbA4cdO
+nAIFZnEdrHtt6dcAvcDug4QMCcEIQSFJPjxPh6GrNz4fOhUK3he/fSYdB1ioHe2q
+p1HUapXziBDBYVyQcLHsk+sIj0s/w9GNODrF4WAVynPtAFvRAoIBAQDma/khsCrh
+bwScDFNbL7nPlqyhmlQ/Bewl3NtORgrAhRCaTulO70uN+BtMS+w8wb1tvKLeATFi
+WIn/iM/buRGBCvjkrZHbjGJiLiM2Y/2t3Ydzs5surN+FbHOa9yB8ZPw9D13b/uD/
+Wi8v900t1kaGUFicrHsg0fBVc7Cn6ERWZGLnbRQvU7qZVSjkuxktorQyRwiSHPZZ
+EauQi1dop7JYF5oOX/Y0n5wYhIacfFSYFTBUlw9D1Ox+TzQ06NsK0bQ+UCNgWMHt
+bqxwEGA80aNjGJd/YgQBjWAdtkEr/fNYw2mJjfORCS4inEdBn9wCBpUaQTa4uReO
+OsIZuQaB9SFFAoIBAQCp0N2AAN9rrTjOo/GuF3TrPJmSsDdQ2bDgYGgh8wEl1mv9
+N5l8Kb4wdfLkEzyes/n6MWHsC47UcAtYRW70cYG8zaU0B2Fz0G8ZIE40xjAjhCyX
+mLSKRnundSD82McZhLfJkSeTClA+dm3tGrCTJtTXyUNPVmEG0ftVLnOYaWTZ0fHG
+fOsxImQPjKjINF94smzq4WoKIm26+m06pysXDCI8oPjOaeEtLK44ra08Wa68xnbc
+7qoF9rJ2b1Ws4PP4XjYc1I8FZQl2Xs4pT6oX60MzBMq4HVGAkDwQFHwghGy9hA0U
+6iTfXlj3qgbq9jNHupCfHpurwUJ0NWsz5TcwVz/RAoIBAQC+f6napjDta8Fd2frY
+Op7d9u4GNPdNm3He47cUAWhGPjy5tl/A+Kl4WBUJgQNwP6SCox/rdwUDD7wXXV6r
+g1frXczkEnOyFWAJV6eZAhXqtmmTyHuVnSq2vjDdf06GSV8YhCnPBeuycTbt6wEN
+0kdAKBD6hsbNHYQawajdSHOnERuLxWyYrBprRjKm1+A7EHb10jBNzFAG10sGF41O
+YsZZejnNhJyiaQq+YmJ/4XJ2wZ3RcYoXRGO5EXZR/+mIClN/6PU2ZGsABy3dAEzw
+O0lfVid6EujI977tEY7T9gJH8lbAeHFUCUjxKE7o/GcB7bs7l4rMMYo99moepg+x
+RZ4ZAoIBABhyys0StLGNXbCldq1c0yOYrgo4b7R8etViAnWVngdjdf0oYlzE5GeK
+x5KdHCLx933QWpx5ebsaLlgnrY+r8efth+dFSseSP0u0rpY3WH0UqVOCC/NvKTQC
+PQAmZKCf7v/NKKaoxqAHNFilZFr4WPy7EQLDfrNTd3IhLjYWHzTS5hHHnX+Ilvjd
+5cwsCN4QEUgwBvB0sOAD2UrXSVYu+zFXgvWd27IyI3+ibCXE+jRu8z5quev06+A8
+tbHPV6tIVqshz5FGhD3bKgDoyynDdWCklTKtovfdlMN/on7hsopJd3EmCo7+pnal
+nzMywIv3nYFETPqCte37rv3CXyuap50=
+-----END PRIVATE KEY-----
diff --git a/examples/tls_boring_dynamic_certs.rs b/examples/tls_boring_dynamic_certs.rs
@@ -0,0 +1,214 @@
+//! This example demonstrates how to dynamically choose certificates for incomming requests
+//!
+//! # Run the example
+//!
+//! ```sh
+//! cargo run --example tls_boring_dynamic_certs --features=boring,http-full
+//! ```
+//!
+//! Test if the correct certificates are returned by making curl resolve example and second.example to
+//! the localhost address on which we expose this service.
+//!
+//! Example certificate:
+//! ```sh
+//! curl -vik --resolve example:64801:127.0.0.1 https://example:64801
+//! ```
+//! Output
+//! ```
+//! * Server certificate:
+//! *  subject: CN=example.com
+//! *  start date: Dec  9 20:05:17 2024 GMT
+//! *  expire date: Dec  7 20:05:17 2034 GMT
+//! *  issuer: CN=example.com
+//! *  SSL certificate verify result: self signed certificate (18), continuing anyway.
+//! ```
+//!
+//! Second example certificate:
+//! ```sh
+//! curl -vik --resolve second.example:64801:127.0.0.1 https://second.example:64801
+//! ```
+//! Output
+//! ```
+//! * Server certificate:
+//! *  subject: CN=second.example.com
+//! *  start date: Dec  9 20:08:11 2024 GMT
+//! *  expire date: Dec  7 20:08:11 2034 GMT
+//! *  issuer: CN=second.example.com
+//! *  SSL certificate verify result: self signed certificate (18), continuing anyway.
+//! ```
+//!
+//! Fallback to to default (example certificate) if no matches are found:
+//! ```sh
+//! curl -vik https://127.0.0.1:64801
+//! ```
+//! Output
+//! ```
+//! * Server certificate:
+//! *  subject: CN=example.com
+//! *  start date: Dec  9 20:05:17 2024 GMT
+//! *  expire date: Dec  7 20:05:17 2034 GMT
+//! *  issuer: CN=example.com
+//! *  SSL certificate verify result: self signed certificate (18), continuing anyway.
+//! ```
+
+// these dependencies are re-exported by rama for your convenience,
+// as to make it easy to use them and ensure that the versions remain compatible
+// (given most do not have a stable release yet)
+
+// rama provides everything out of the box to build a TLS termination proxy
+use rama::{
+    error::OpaqueError,
+    graceful::Shutdown,
+    http::server::HttpServer,
+    http::{Request, Response},
+    layer::ConsumeErrLayer,
+    net::{
+        address::{Domain, Host},
+        tls::server::{ServerAuth, ServerConfig},
+        tls::{
+            client::ClientHello,
+            server::{DynamicCertIssuer, ServerAuthData, ServerCertIssuerData},
+            DataEncoding,
+        },
+    },
+    rt::Executor,
+    service::service_fn,
+    tcp::server::TcpListener,
+    tls::boring::server::{TlsAcceptorData, TlsAcceptorLayer},
+    Context, Layer,
+};
+use rama_http::IntoResponse;
+use rama_net::tls::server::CacheKind;
+
+// everything else is provided by the standard library, community crates or tokio
+use std::{convert::Infallible, time::Duration};
+use tracing::metadata::LevelFilter;
+use tracing_subscriber::{fmt, prelude::*, EnvFilter};
+
+#[tokio::main]
+async fn main() {
+    tracing_subscriber::registry()
+        .with(fmt::layer())
+        .with(
+            EnvFilter::builder()
+                .with_default_directive(LevelFilter::DEBUG.into())
+                .from_env_lossy(),
+        )
+        .init();
+
+    let issuer = DynamicIssuer::new();
+
+    let tls_server_config = ServerConfig::new(ServerAuth::CertIssuer(ServerCertIssuerData {
+        kind: issuer.into(),
+        cache_kind: CacheKind::Disabled,
+        ..Default::default()
+    }));
+
+    let acceptor_data = TlsAcceptorData::try_from(tls_server_config).expect("create acceptor data");
+
+    let shutdown = Shutdown::default();
+
+    // create http server
+    shutdown.spawn_task_fn(|guard| async {
+        let exec = Executor::graceful(guard.clone());
+        let http_service = HttpServer::auto(exec).service(service_fn(http_service));
+
+        let tcp_service = (
+            ConsumeErrLayer::default(),
+            TlsAcceptorLayer::new(acceptor_data),
+        )
+            .layer(http_service);
+
+        TcpListener::bind("127.0.0.1:64801")
+            .await
+            .expect("bind TCP Listener: http")
+            .serve_graceful(guard, tcp_service)
+            .await;
+    });
+
+    shutdown
+        .shutdown_with_limit(Duration::from_secs(3))
+        .await
+        .expect("graceful shutdown");
+}
+
+struct DynamicIssuer {
+    example_data: ServerAuthData,
+    second_example_data: ServerAuthData,
+    default_data: ServerAuthData,
+}
+
+impl DynamicIssuer {
+    fn new() -> Self {
+        Self {
+            example_data: example_self_signed_auth().expect("load example data"),
+            second_example_data: second_example_self_signed_auth()
+                .expect("load second example data"),
+            default_data: example_self_signed_auth().expect("load default data"),
+        }
+    }
+}
+
+impl DynamicCertIssuer for DynamicIssuer {
+    async fn issue_cert(
+        &self,
+        client_hello: ClientHello,
+        _server_name: Option<Host>,
+    ) -> Result<ServerAuthData, OpaqueError> {
+        match client_hello.ext_server_name() {
+            Some(host) => match host {
+                rama_net::address::Host::Name(domain) => {
+                    if domain == &Domain::from_static("example") {
+                        return Ok(self.example_data.clone());
+                    } else if domain == &Domain::from_static("second.example") {
+                        return Ok(self.second_example_data.clone());
+                    }
+                    Ok(self.example_data.clone())
+                }
+                rama_net::address::Host::Address(_ip_addr) => Ok(self.default_data.clone()),
+            },
+            None => Ok(self.example_data.clone()),
+        }
+    }
+}
+
+pub fn example_self_signed_auth() -> Result<ServerAuthData, OpaqueError> {
+    Ok(ServerAuthData {
+        private_key: DataEncoding::Pem(
+            std::str::from_utf8(include_bytes!("./assets/example.com.key"))
+                .expect("should decode")
+                .try_into()
+                .expect("should work"),
+        ),
+        cert_chain: DataEncoding::Pem(
+            std::str::from_utf8(include_bytes!("./assets/example.com.crt"))
+                .expect("should decode")
+                .try_into()
+                .expect("should work"),
+        ),
+        ocsp: None,
+    })
+}
+
+pub fn second_example_self_signed_auth() -> Result<ServerAuthData, OpaqueError> {
+    Ok(ServerAuthData {
+        private_key: DataEncoding::Pem(
+            include_str!("./assets/second_example.com.key")
+                .try_into()
+                .expect("should work"),
+        ),
+        cert_chain: DataEncoding::Pem(
+            include_str!("./assets/second_example.com.crt")
+                .try_into()
+                .expect("should work"),
+        ),
+        ocsp: None,
+    })
+}
+
+async fn http_service<S>(_ctx: Context<S>, _request: Request) -> Result<Response, Infallible> {
+    Ok(
+        "hello client, you were served by boring tls terminator proxy issuing a dynamic certificate"
+            .into_response(),
+    )
+}