Tracking upstream improvements

[daxpedda]

• PSK support: Status of PSK Support? rustls/rustls#174
• Drop X.509: Support RawPublicKey (non-X509) certificates, e.g. for P2P rustls/rustls#423
• Support IP as domain
  • WebPKI
    • webpki/cert: extend verify_is_valid_for to iPAddress SAN briansmith/webpki#54
    • Validation of IP address name constraints should be stricter briansmith/webpki#130
    • Non-standard certificates that identify a DNS name (or IP address) using the CN field of the subject are rejected; provide some way to opt into supporting them. briansmith/webpki#90
    • Support verifying IP Address SANs rustls/webpki#4
  • Rustls
    • Can't connect to a server presenting a certificate with an IP address in its common name rustls/rustls#184
    • rustls requires hostname for server rustls/rustls#206
    • Using rustls for machine-to-machine w/ private CA and no DNS rustls/rustls#331
    • Allow disabling Hostname Verification rustls/rustls#578
  • Quinn: Support connecting to IP addresses quinn-rs/quinn#564
• Server Migration: Server IP Address Migration  quinn-rs/quinn#716
• Async Executor Agnosticism: async_std support quinn-rs/quinn#502
• Certificate Rotation: Certificate rotation for long running clients quinn-rs/quinn#474
• Async Resolver
  • Asynchronous/tokio ResolvesServerCert? rustls/rustls#89
  • How to use ServerSession get_sni_hostname to switch the ServerConfig to generate new ServerSession and ask client to reinitiate handshake? rustls/rustls#430
  • Asynchronous calls to user-provided code rustls/rustls#850
• OCSP Support
  • Rustls: Add OCSP stapling support rustls/rustls#31
  • WebPKI
    • Add OCSP support sufficient for client-side OCSP stapling for end-entity certificates briansmith/webpki#26
    • Add OCSP support sufficient for server-side OCSP stapling for end-entity certs briansmith/webpki#27
    • Add Must-Staple support. briansmith/webpki#28
• ECH support
  • Support Encrypted ClientHellos (ECH, formerly ESNI) rustls/rustls#199
  • ECHConfig implementation rustls/rustls#508
• CT log support
  • CT enforcement seems incorrect rustls/rustls#479
  • Support verifying/accessing SCTs inside certificates rustls/webpki#105

[daxpedda]

I did some research on OCSP, this is actually quiet important.
Especially when we go production in CV, we have to be able to protect ourselves against a compromise of our private key.

The only alternative I know, CRLs, isn't available in the Rust community and as far as I know there are no plans to add support.