Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rust-native-tls is not able to receive peer certificate #262

Open
jarlah opened this issue May 5, 2023 · 10 comments
Open

rust-native-tls is not able to receive peer certificate #262

jarlah opened this issue May 5, 2023 · 10 comments

Comments

@jarlah
Copy link

jarlah commented May 5, 2023

I have made a fully reproducible bug in this repository:

https://github.com/jarlah/tls-peer-certificate-test

The gist of it is that both in hyper and and direct usage of rust-native-tls, im not able to receive the peer certificate.

I want to know if its a bug in this package, or if its a complete misunderstanding of the api method peer_certificate()?

🙏

@sfackler
Copy link
Owner

sfackler commented May 5, 2023

The TlsAcceptor would need to be configured to request a client certificate, which is not currently exposed.

@jarlah
Copy link
Author

jarlah commented May 5, 2023

The TlsAcceptor would need to be configured to request a client certificate, which is not currently exposed.

Does that mean I have to code up something for the TlsAcceptor, or does it mean that TlsAcceptor needs to be modified to include such behaviour ?

@sfackler
Copy link
Owner

sfackler commented May 5, 2023

TlsAcceptor needs to be modified to include such behavior.

@jarlah
Copy link
Author

jarlah commented May 5, 2023

I can help to code it up if you give me some pointers. Is it hard? I see this is not solved properly for any tls library, so I assume it's hard. Or, it's not hard but no one wants to use it. It's only in the few cases where you need to validate and authorise/authenticate the connecting client based off its client certificate, which is basically not that often right. But it would open up for so many possible server solutions in rust if we solve it here :)

@jarlah
Copy link
Author

jarlah commented May 5, 2023

Some observations. Test peer_certificate in test.rs doesn't really test peer certificate. It's just calling it and checking if it returns None. That it doesn't crash. Coverage yeah, but it doesn't really show that it works when we would expect a peer certificate to be present in the stream.

I see this project uses test-cert-gen which doesn't generate cert and key for the client. Because "it's generally enough for unit and integration tests" to not include it. To be able to test peer_certificate() that returns Some() we would need to update this test-cert-gen crate to generate private key and cert for the client as well.

I see however in the test that it does assert for the client side that peer_certificate() returns the server certificate.. So it does at least work at some level. But not for the client certificate on the server end.

@sfackler
Copy link
Owner

sfackler commented May 5, 2023

Test peer_certificate in test.rs doesn't really test peer certificate.

That test both checks the case when the peer does not send a certificate and the case when the peer does send a certificate.

I have no reason to believe that peer_certificate would not work on the server side if the server actually requested that the client send a certificate.

If you wanted to implement this you'd need to make implementations for all of the underlying TLS implementations, OpenSSL, Security.framework, and schannel. It looks like the schannel library currently doesn't expose that configuration either so you'd need to start by adding it there.

@jarlah
Copy link
Author

jarlah commented May 6, 2023

we disagree only on small nitpick details ;)

When you say that the Windows schannel implementation doesnt expose the configuration, can you point me to the configuration in OpenSSL or security framework impl for the same thing? Because you implied that these expose "the configuration"? Ill admit that im not tls or even native-tls expert. But i might be able to read documentation for Windows api, install a vm and test stuff. I suppose it would be possible to make this work in general without the schannel impl completely implemented? Lets say we didnt have schannel impl, would we be able to make this work now ?

@sfackler
Copy link
Owner

sfackler commented May 6, 2023

https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify
https://docs.rs/security-framework/latest/security_framework/secure_transport/struct.SslContext.html#method.set_client_side_authenticate

Lets say we didnt have schannel impl, would we be able to make this work now ?

No

@jarlah
Copy link
Author

jarlah commented May 7, 2023

Currently looking into it. Its a mess 😂 i understand why this is not yet implemented. 😶

@jarlah
Copy link
Author

jarlah commented Jun 22, 2023

looked at it. Asked chatgpt. Gave up. For now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants