Day 7: Challenge Day — TLS Connection Inspector

Phase 1 · May 20, 2026 · Week 1 Review

Agenda (2–3 hours)

• Review (30 min): Re-read your notes from Days 1–6
• Build (90–120 min): Rust CLI tool (the challenge)
• Verify (30 min): Test against multiple hosts, fix issues

No new reading today. Consolidate what you know by building something.

Week 1 Key Concepts Review

Before you code, answer these from memory:

1. What are the three security properties TLS provides?
2. What is forward secrecy and which TLS 1.3 mechanism provides it?
3. Why does TLS 1.3 always put 0x0303 in the record header version field?
4. What is HKDF-Extract vs HKDF-Expand and when is each used?
5. What is the difference between key exchange and key agreement?
6. Name the three cipher suites in TLS 1.3 and their AEAD primitives.

If you can't answer any of these without looking, review that day before coding.

Challenge Assignment

Build a Rust CLI binary: tls-info <hostname> [port]

tls-info google.com
tls-info api.amazon.com 443

Required output:

• Negotiated TLS version
• Cipher suite
• Certificate chain: for each cert print subject, issuer, SANs, validity dates
• Whether the handshake succeeded

Crates to use:

tokio = { version = "1", features = ["full"] }
rustls = "0.23"
tokio-rustls = "0.26"
webpki-roots = "0.26"
x509-parser = "0.16"
rustls-pki-types = "1"

Starter Structure

#[tokio::main]
async fn main() {
    let host = std::env::args().nth(1).expect("usage: tls-info <host>");
    let port: u16 = std::env::args().nth(2)
        .unwrap_or("443".into()).parse().unwrap();

    // 1. Build rustls ClientConfig with webpki-roots
    // 2. Connect with tokio-rustls TlsConnector
    // 3. Extract peer_certificates() from the TlsStream
    // 4. Parse each cert with x509_parser::parse_x509_certificate()
    // 5. Print fields
}

This is intentionally skeletal — figure out the API from the docs.

Stretch Goals (if time allows)

• Print the negotiated ALPN protocol
• Show the certificate chain depth and flag if any cert is expired
• Add --json output flag
• Handle connection errors gracefully (wrong host, timeout, cert error)

Resources

• rustls docs: docs.rs/rustls
• tokio-rustls: docs.rs/tokio-rustls
• x509-parser: docs.rs/x509-parser
• webpki-roots: docs.rs/webpki-roots