Comments (8)
Does it work on OpenSSL without that configuration? Do you want to require client certificates?
from rust-native-tls.
No, it doesn't work with or without that configuration. That was an example of some of the steps I've taken to try and workaround the issue. The error that I mentioned is coming from the server acceptor in the test (standard blocking version). From my understanding it is saying that it is a client validation error, which is why I started looking at different options for disabling validation on the server side.
Eventually I do want client-auth, but not right now.
The out-of-the-box setup works for macOS, just not linux. I am using a self-signed cert, the logic for that is a few lines up:
https://github.com/bluejekyll/trust-dns/blob/dns_over_tls/client/src/tls/tls_stream.rs#L251
from rust-native-tls.
It looks like OpenSSL will verify client certificates sent to it even if they haven't been requested. Either not sending the client cert or configuring the server's trust root to include the client cert's CA should fix things.
from rust-native-tls.
You can also disable certificate verification on the server side with set_verify(SSL_VERIFY_NONE)
.
from rust-native-tls.
Yeah. I tried that and am not sending a client cert. I'll make an isolated test case.
from rust-native-tls.
Ok, thanks for the help earlier. I think I figured out what was going on, but haven't had a chance to fix it yet. The mac version of the TlsConnectorBuilderExt allows for certificate pinning, where-as I was trying to add the CA's dynamically. This led me to passing the wrong type of cert to the openssl version. #21 has a new test for the Connector. It's not ready, but I wanted to show you what I'm talking about. #21 is correct on Linux, but wrong on macOS, this was the inverse of the problem I was having on Linux and is an indication that I was using my certs wrong.
from rust-native-tls.
Circling back around on this. I just pushed a solution to this issue in rust-openssl which will allow certs to be associated in the same way as I wanted to use them here.
This can be closed with the solution being to use SslContextBuilder::set_verify_cert_store()
, which matches the functionality of TlsConnectorBuilderExt::anchor_certificates()
on macOS.
from rust-native-tls.
Sweet, closing in favor of that!
from rust-native-tls.
Related Issues (20)
- RUSTSEC-2023-0018 HOT 1
- Please update openssl dependency. HOT 1
- Several RUSTSEC vulnerabilities in openssl HOT 1
- RUSTSEC vulnerability in `tempfile` - need to take updated version HOT 1
- tls
- rust-native-tls is not able to receive peer certificate HOT 10
- Upgrade security-framework v2.9.1 HOT 1
- TlsConnectorBuilder constructor HOT 2
- PKCS12 Legacy Support HOT 1
- Identity::from_pkcs8 does not work correctly on macos HOT 2
- PKCS12 Identity [mac verify failure] on legacy format HOT 3
- Windows: When loading an Identity with from_pkcs8(), running multiple servers generates handshake errors HOT 7
- Is `&TlsStream: Read + Write` possible? HOT 2
- Option to disable certificate CA verification HOT 7
- Newer pkcs12 file format reverses cert chain order HOT 4
- Ability to customise SslContext for openssl HOT 1
- feature request: please provide a way to "opt-outing" openssl HOT 2
- reading the response is taking too long - 10 minutes HOT 4
- Allow access to ssl::SslStream for advanced usage HOT 1
- Use schannel CertContext to create an Identity HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rust-native-tls.