Implement client certificate validation #162
Conversation
| if let Some(client_ca_cert) = &builder.client_cert_verification_ca_cert { | ||
| acceptor.add_client_ca((client_ca_cert.0).0.as_ref())?; | ||
| // below call is required if the ca is not already trusted | ||
| acceptor.cert_store_mut().add_cert((client_ca_cert.0).0.to_owned())?; |
There was a problem hiding this comment.
This line is required to run the tests as-is. Not sure if this should stay in.
|
I just encountered the limitation this is supposed to fix. I'm writing a decentralized peer-to-peer network, and I need mutual authentication in the communication between the nodes. Because it's decentralized, there's no CA, so each node does custom per-peer validation. In short, I need both server and client to exchange certificates -- but the reason I'm writing this is because I also need |
|
@cypheratheist This PR only adds the ability to request or require client certificate. It would not allow to set a custom verification callback #161 (comment) to let you accept invalid certs. On top of this PR, you'd need to also make a call to set_verify_callback (openssl), verify_callback (schannel), set_break_on_client_auth (secure_transport). |
Todo:
Provides a configuration mechanism for client certification verification ie: two-way tls.
I don't have windows or mac environments for oss, feel free to cannibalize this PR if you can do the implementation on these systems.
Related to: #161