Support request specific TLS configuration

Package.swift

@@ -22,7 +22,8 @@ let package = Package(
     ],
     dependencies: [
         .package(url: "https://github.com/apple/swift-nio.git", from: "2.27.0"),
-        .package(url: "https://github.com/apple/swift-nio-ssl.git", from: "2.12.0"),
+        .package(url: "https://github.com/apple/swift-nio-ssl.git", .branch("main")),
+//        .package(url: "https://github.com/apple/swift-nio-ssl.git", from: "2.12.0"),
         .package(url: "https://github.com/apple/swift-nio-extras.git", from: "1.3.0"),
         .package(url: "https://github.com/apple/swift-nio-transport-services.git", from: "1.5.1"),
         .package(url: "https://github.com/apple/swift-log.git", from: "1.4.0"),

Sources/AsyncHTTPClient/BestEffortHashableTLSConfiguration.swift

@@ -0,0 +1,18 @@
+import NIOSSL
+
+/// Wrapper around `TLSConfiguration` from NIOSSL to provide a best effort implementation of `Hashable`
+struct BestEffortHashableTLSConfiguration: Hashable {
+    let base: TLSConfiguration
+
+    init(wrapping base: TLSConfiguration) {
+        self.base = base
+    }
+
+    func hash(into hasher: inout Hasher) {
+        base.bestEffortHash(into: &hasher)
+    }
+
+    static func == (lhs: BestEffortHashableTLSConfiguration, rhs: BestEffortHashableTLSConfiguration) -> Bool {
+        lhs.base.bestEffortEquals(rhs.base)
+    }
+}

Sources/AsyncHTTPClient/ConnectionPool.swift

@@ -139,12 +139,16 @@ final class ConnectionPool {
             self.port = request.port
             self.host = request.host
             self.unixPath = request.socketPath
+            if let tls = request.tlsConfiguration {
+                self.tlsConfiguration = BestEffortHashableTLSConfiguration(wrapping: tls)
+            }
         }
 
         var scheme: Scheme
         var host: String
         var port: Int
         var unixPath: String
+        var tlsConfiguration: BestEffortHashableTLSConfiguration?
 
         enum Scheme: Hashable {
             case http

Sources/AsyncHTTPClient/HTTPHandler.swift

@@ -186,6 +186,8 @@ extension HTTPClient {
         public var headers: HTTPHeaders
         /// Request body, defaults to no body.
         public var body: Body?
+        /// Request-specific TLS configuration, defaults to no request-specific TLS configuration.
+        public var tlsConfiguration: TLSConfiguration?
 
         struct RedirectState {
             var count: Int
@@ -203,17 +205,18 @@ extension HTTPClient {
         ///     - method: HTTP method.
         ///     - headers: Custom HTTP headers.
         ///     - body: Request body.
+        ///     - tlsConfiguration: Request TLS configuration
         /// - throws:
         ///     - `invalidURL` if URL cannot be parsed.
         ///     - `emptyScheme` if URL does not contain HTTP scheme.
         ///     - `unsupportedScheme` if URL does contains unsupported HTTP scheme.
         ///     - `emptyHost` if URL does not contains a host.
-        public init(url: String, method: HTTPMethod = .GET, headers: HTTPHeaders = HTTPHeaders(), body: Body? = nil) throws {
+        public init(url: String, method: HTTPMethod = .GET, headers: HTTPHeaders = HTTPHeaders(), body: Body? = nil, tlsConfiguration: TLSConfiguration? = nil) throws {
             guard let url = URL(string: url) else {
                 throw HTTPClientError.invalidURL
             }
 
-            try self.init(url: url, method: method, headers: headers, body: body)
+            try self.init(url: url, method: method, headers: headers, body: body, tlsConfiguration: tlsConfiguration)
         }
 
         /// Create an HTTP `Request`.
@@ -223,12 +226,13 @@ extension HTTPClient {
         ///     - method: HTTP method.
         ///     - headers: Custom HTTP headers.
         ///     - body: Request body.
+        ///     - tlsConfiguration: Request TLS configuration
         /// - throws:
         ///     - `emptyScheme` if URL does not contain HTTP scheme.
         ///     - `unsupportedScheme` if URL does contains unsupported HTTP scheme.
         ///     - `emptyHost` if URL does not contains a host.
         ///     - `missingSocketPath` if URL does not contains a socketPath as an encoded host.
-        public init(url: URL, method: HTTPMethod = .GET, headers: HTTPHeaders = HTTPHeaders(), body: Body? = nil) throws {
+        public init(url: URL, method: HTTPMethod = .GET, headers: HTTPHeaders = HTTPHeaders(), body: Body? = nil, tlsConfiguration: TLSConfiguration? = nil) throws {
             guard let scheme = url.scheme?.lowercased() else {
                 throw HTTPClientError.emptyScheme
             }
@@ -244,6 +248,7 @@ extension HTTPClient {
             self.scheme = scheme
             self.headers = headers
             self.body = body
+            self.tlsConfiguration = tlsConfiguration
         }
 
         /// Whether request will be executed using secure socket.

Sources/AsyncHTTPClient/Utils.swift

@@ -150,17 +150,22 @@ extension NIOClientTCPBootstrap {
         let key = destination
 
         let requiresTLS = key.scheme.requiresTLS
+        // Override optional connection pool configuration.
+        var keyConfiguration = configuration
+        if let tlsConfiguration = key.tlsConfiguration {
+            keyConfiguration.tlsConfiguration = tlsConfiguration.base
+        }
         let bootstrap: NIOClientTCPBootstrap
         do {
-            bootstrap = try NIOClientTCPBootstrap.makeHTTPClientBootstrapBase(on: channelEventLoop, host: key.host, port: key.port, requiresTLS: requiresTLS, configuration: configuration)
+            bootstrap = try NIOClientTCPBootstrap.makeHTTPClientBootstrapBase(on: channelEventLoop, host: key.host, port: key.port, requiresTLS: requiresTLS, configuration: keyConfiguration)
         } catch {
             return channelEventLoop.makeFailedFuture(error)
         }
 
         let channel: EventLoopFuture<Channel>
         switch key.scheme {
         case .http, .https:
-            let address = HTTPClient.resolveAddress(host: key.host, port: key.port, proxy: configuration.proxy)
+            let address = HTTPClient.resolveAddress(host: key.host, port: key.port, proxy: keyConfiguration.proxy)
             channel = bootstrap.connect(host: address.host, port: address.port)
         case .unix, .http_unix, .https_unix:
             channel = bootstrap.connect(unixDomainSocketPath: key.unixPath)
@@ -173,7 +178,7 @@ extension NIOClientTCPBootstrap {
 
             if requiresLateSSLHandler {
                 let handshakePromise = channel.eventLoop.makePromise(of: Void.self)
-                channel.pipeline.syncAddLateSSLHandlerIfNeeded(for: key, tlsConfiguration: configuration.tlsConfiguration, handshakePromise: handshakePromise)
+                channel.pipeline.syncAddLateSSLHandlerIfNeeded(for: key, tlsConfiguration: keyConfiguration.tlsConfiguration, handshakePromise: handshakePromise)
                 handshakeFuture = handshakePromise.futureResult
             } else if requiresTLS {
                 do {

Tests/AsyncHTTPClientTests/HTTPClientTests+XCTest.swift

@@ -133,6 +133,7 @@ extension HTTPClientTests {
             ("testFileDownloadChunked", testFileDownloadChunked),
             ("testCloseWhileBackpressureIsExertedIsFine", testCloseWhileBackpressureIsExertedIsFine),
             ("testErrorAfterCloseWhileBackpressureExerted", testErrorAfterCloseWhileBackpressureExerted),
+            ("testRequestSpecificTLS", testRequestSpecificTLS),
         ]
     }
 }

Tests/AsyncHTTPClientTests/HTTPClientTests.swift

@@ -2916,4 +2916,22 @@ class HTTPClientTests: XCTestCase {
             XCTAssertEqual(error as? ExpectedError, .expected)
         }
     }
+
+    func testRequestSpecificTLS() throws {
+        let configuration = HTTPClient.Configuration(tlsConfiguration: nil,
+                                                     timeout: .init(),
+                                                     ignoreUncleanSSLShutdown: false,
+                                                     decompression: .disabled)
+        let localHTTPBin = HTTPBin(ssl: true)
+        let localClient = HTTPClient(eventLoopGroupProvider: .shared(self.clientGroup),
+                                     configuration: configuration)
+        defer {
+            XCTAssertNoThrow(try localClient.syncShutdown())
+            XCTAssertNoThrow(try localHTTPBin.shutdown())
+        }
+
+        let request = try HTTPClient.Request(url: "https://localhost:\(localHTTPBin.port)/get", method: .GET, tlsConfiguration: .forClient(certificateVerification: .none))
+        let response = try localClient.execute(request: request).wait()
+        XCTAssertEqual(.ok, response.status)
+    }
 }