TlsAcceptor does not request client certificate?

[gxtaillon]

Hello,

I'm trying to use rust-native-tls to setup a bare tls connection that would require client to provide a certificate, however I have not found a way of doing this with TlsAcceptor. There doesn't seem to be a way to set the verification mode and depth.

Using openssl s_server -accept *:10000 -cert server.pem -key server.pem -verify 10 -CAfile root-ca.crt, I can see that when providing a cert on the TlsConnectorBuilder, the client sends the certificate.

The peer_certificate() on the call always return Ok(None), and the server never requests the certificate.

Looking at the tests, requesting the client's certificate doesn't seem to be supported.

rust-native-tls/src/test.rs

Line 140 in 75e43da

assert!(socket.peer_certificate().unwrap().is_none());

Would you welcome a PR?

[sfackler]

Sure

[gxtaillon]

Exposing SslVerifyMode in some way would clash with the format of boolean settings in TlsConnectorBuilder.

I'd add two bools in TlsAcceptorBuilder: request_client_cert for SSL_VERIFY_PEER, and require_client_cert for SSL_VERIFY_FAIL_IF_NO_PEER_CERT.

What do you think?

[sfackler]

How would this be implemented for schannel and secure-transport?

[gxtaillon]

I'm not familiar with schannel and secure-transport. Right now i'd only expose the new settings for openssl.

[sfackler]

The entire purpose of this crate is to expose a uniform interface to those three backends. I would like to preserve that.

[gxtaillon]

You're not making it easy for yourself

I checked schannel here : https://docs.rs/schannel/0.1.16/schannel/tls_stream/struct.Builder.html
Only way I can find to validate client certs would be to set verify_callback and check the CertValidationResult for no failed_certificate and for the presence of a certchain.

For security-channel here : https://docs.rs/security-framework/0.4.1/security_framework/secure_transport/struct.SslContext.html
There's set_client_side_authenticate with SslAuthenticate.

Looking back exposing a type akin to https://docs.rs/security-framework/0.4.1/security_framework/secure_transport/struct.SslAuthenticate.html would be cleaner. There would also be more work needed to allow using the verification callbacks of all three backends, but I don't need that right now, and a type like this would not prevent that from happening.

[jocutajar]

I'd like to accept client cert authentication in Samotop server. Without this feature I'll have to dip into openssl/schannel/ what not myself ...not too excited... Is this effort going stale?

[gxtaillon]

@jocutajar In #162 there's a working implementation for openssl that i'm using, but for windows and mac I don't have a machine for OSS that I can readily use so for now I'm not planning on working on this. Feel free to canibalize the PR.

[garritfra]

+1 for this feature. I'm not qualified to implement this, but I'd love to see it happen.