(OpenSSL) Server rejects client: "tlsv1 alert unknown ca" about rust-native-tls HOT 8 CLOSED

Does it work on OpenSSL without that configuration? Do you want to require client certificates?

from rust-native-tls.

No, it doesn't work with or without that configuration. That was an example of some of the steps I've taken to try and workaround the issue. The error that I mentioned is coming from the server acceptor in the test (standard blocking version). From my understanding it is saying that it is a client validation error, which is why I started looking at different options for disabling validation on the server side.

Eventually I do want client-auth, but not right now.

The out-of-the-box setup works for macOS, just not linux. I am using a self-signed cert, the logic for that is a few lines up:

https://github.com/bluejekyll/trust-dns/blob/dns_over_tls/client/src/tls/tls_stream.rs#L251

from rust-native-tls.

It looks like OpenSSL will verify client certificates sent to it even if they haven't been requested. Either not sending the client cert or configuring the server's trust root to include the client cert's CA should fix things.

from rust-native-tls.

You can also disable certificate verification on the server side with set_verify(SSL_VERIFY_NONE).

from rust-native-tls.

Yeah. I tried that and am not sending a client cert. I'll make an isolated test case.

from rust-native-tls.

Ok, thanks for the help earlier. I think I figured out what was going on, but haven't had a chance to fix it yet. The mac version of the TlsConnectorBuilderExt allows for certificate pinning, where-as I was trying to add the CA's dynamically. This led me to passing the wrong type of cert to the openssl version. #21 has a new test for the Connector. It's not ready, but I wanted to show you what I'm talking about. #21 is correct on Linux, but wrong on macOS, this was the inverse of the problem I was having on Linux and is an indication that I was using my certs wrong.

from rust-native-tls.

Circling back around on this. I just pushed a solution to this issue in rust-openssl which will allow certs to be associated in the same way as I wanted to use them here.

sfackler/rust-openssl#582

This can be closed with the solution being to use SslContextBuilder::set_verify_cert_store(), which matches the functionality of TlsConnectorBuilderExt::anchor_certificates() on macOS.

from rust-native-tls.

Sweet, closing in favor of that!

from rust-native-tls.