-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client certificates seem to be ignored when using rustls #903
Comments
Hi I have been having similar issue when using https://docs.rs/reqwest/0.10.4/reqwest/struct.ClientBuilder.html#method.use_rustls_tls Hope this may help |
Do you know if it is possible to specify the whole accepted list of CAs, instead of just adding a new one, and if it is possible to specify the expected |
Thanks. I spent hours trying to get my client-cert working and just did not see this option. I thought that rustls is automatically active when activating the feature (since event the API changes, eg from_der -> from_pem) |
I encountered a similar situation. I had an end-to-end unit test that created a server and a client and verified that client certificate auth works. The client was constructed like this: let client = ClientBuilder::new()
.resolve("test_server", server_addr)
.identity(client_identity())
.add_root_certificate(root_cert)
.build()
.unwrap(); My unit test was passing until I merged this crate into a workspace with some other crates, and then it started to fail. What I found is that if This is quite surprising, that enabling additional features can cause working code to fail. I think what's happening is that I created an Adding Assuming I understand the problem correctly, it would be helpful if this caused an error instead of silently doing the wrong thing. If there's an incompatibility between the |
Thanks for investigating! If that's indeed what the code is doing, I agree it should be fixed! Would you like to take a shot at that? |
Is the best fix to just add a failure to I'm not sure if there are other options, but I might wish for one of these instead:
Even if a better solution exists down the road, perhaps it's still a good first step to add the short-term fix (fail |
Yea, returning a builder error seems better than silently not working. If the |
Just chiming in to say this bubbled up as an issue on the Rustls repo (rustls/rustls#1297). The produced behaviour is confusing from a user perspective and takes some time to diagnose from first principles. Here are some more detailed reproduction steps for reqwest 0.11.18 that show both the client and server behaviour in case it's helpful: Client reqwest programuse std::time::Duration;
#[tokio::main]
async fn main() -> Result<(), reqwest::Error> {
let buf = include_bytes!("../minica.pem").as_slice();
let cacert = reqwest::Certificate::from_pem(&buf)?;
let client_ident_pem = include_bytes!("../combined.pem").as_slice();
let id = reqwest::Identity::from_pem(&client_ident_pem)?;
let client = reqwest::ClientBuilder::new()
.timeout(Duration::from_secs(30))
.add_root_certificate(cacert)
.identity(id)
.build()?;
client.get("https://localhost:4433/").send().await?;
Ok(())
} Server setup using Rustls tlsserver-mio example program:SSLKEYLOGFILE=/tmp/tlsmioserver.key.txt cargo run --bin tlsserver-mio -- --certs ../hypertest/cert.pem --key ../hypertest/key.pem --require-auth --auth ../hypertest/minica.pem --verbose --port 4433 http Tshark packet capture showing empty client `Certificate` handshake message:sudo tshark -i any -n -V -o 'tls.keylog_file:/tmp/tlsmioserver.key.txt' 'port 4433'
<snipped>
Transport Layer Security
TLSv1.3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
TLSv1.3 Record Layer: Handshake Protocol: Certificate
Opaque Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 25
[Content Type: Handshake (22)]
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 4
Certificate Request Context Length: 0
Certificates Length: 0
TLSv1.3 Record Layer: Handshake Protocol: Finished
Opaque Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 69
[Content Type: Handshake (22)]
Handshake Protocol: Finished
Handshake Type: Finished (20)
Length: 48
Verify Data Notably the problematic configuration does send a
As described above adding I've also applied #1852 and confirmed it produces a helpful error message instead of sending an empty client |
I think the root of the problem is that The problem only arises when multiple backends are enabled, so we could create some logic that extracts the key + certificate from the backend-A Another idea would be to delay parsing the key and certificate until the In another universe, Another way to look at the problem: the naming of the current |
The above code errors with a 401 when it gets to the
.error_for_status()?
.Below is
combined.pem
in this example (just a test cert, don't worry):Note that the certificates themselves are correct, as I used them to generate the identity.p12 file in this working native-tls example:
The text was updated successfully, but these errors were encountered: