Comments (6)
I use the command:
openssl req -x509 -nodes -days 1825 -newkey rsa:4096 -keyout server.key -out server.crt
The generated self-signed certificates can be used in rustls. Pls check if you forget the x509
option.
It seems the mkcert
is a better tool to generate the certificates, but I haven't tried it yet.
from hyper-rustls.
Hi. I use the following openssl
commands and Rust code.
mkdir ssl_certs && cd ssl_certs && openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -sha256 -nodes --subj '/CN=localhost/' && cd -
The command above creates ssl_certs/server.key
and ssl_certs/server.crt
.
The rust code below shows how to load the files.
let tls_cfg = load_tls_config("./ssl_certs/server.crt", "./ssl_certs/server.key")?;
let tls_acceptor = TlsAcceptor::from(std::sync::Arc::new(tls_cfg));
// use tls_acceptor...
// (base: https://github.com/ctz/hyper-rustls/blob/5f073724f7b5eee3a2d72f0a86094fc2718b51cd/examples/server.rs)
pub fn load_tls_config(
cert_path: impl AsRef<std::path::Path>,
key_path: impl AsRef<std::path::Path> + std::fmt::Display,
) -> std::io::Result<rustls::ServerConfig> {
// Load public certificate.
let mut cert_reader = std::io::BufReader::new(std::fs::File::open(cert_path)?);
let certs = rustls::internal::pemfile::certs(&mut cert_reader)
.map_err(|_| error("unable to load certificate".to_owned()))?;
// Load private key.
let mut key_reader = std::io::BufReader::new(std::fs::File::open(key_path)?);
// Load and return a single private key.
let key = rustls::internal::pemfile::pkcs8_private_keys(&mut key_reader)
.map_err(|_| error("unable to load private key".to_owned()))?
.remove(0);
// Do not use client certificate authentication.
let mut cfg = rustls::ServerConfig::new(rustls::NoClientAuth::new());
// Select a certificate to use.
cfg.set_single_cert(certs, key).unwrap();
// Configure ALPN to accept HTTP/2, HTTP/1.1 in that order.
cfg.set_protocols(&[b"h2".to_vec(), b"http/1.1".to_vec()]);
Ok(cfg)
}
Here is an actual example using the command in CI: https://github.com/nwtgck/piping-server-rust/blob/1dc4563fa90511579d145271f4131fdf24fcd610/.github/workflows/ci.yml#L20.
from hyper-rustls.
@heibor Did you find a workaround? I'm having the same issue.
First that I could not get the private keys to load without using this python script rustls/rustls#74 (comment)
And now I'm facing the same issue than you:
FAILED: error accepting connection: TLS Error: Custom { kind: InvalidData, error: AlertReceived(BadCertificate) }
Is there any workaround? I'm almost giving up on rustls, it seems too restrictive. Should I raise a issue in their repo? I'm not sure what is happening yet.
from hyper-rustls.
Thanks, mkcert
worked, I still had to use the python script tho, or else I would get:
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Custom { kind: Other, error: "expected a single private key" }',
from hyper-rustls.
@lucaswxp The private key contains rsa
key and pkcs8
key, and I added some codes to the load_private_key
function, and rename it to load_keys
:
fn load_keys(path: &Path) -> io::Result<PrivateKey> {
let rsa_keys = {
let keyfile = File::open(path)
.expect("cannot open private key file");
let mut reader = io::BufReader::new(keyfile);
pemfile::rsa_private_keys(&mut reader)
.expect("file contains invalid rsa private key")
};
let pkcs8_keys = {
let keyfile = File::open(path)
.expect("cannot open private key file");
let mut reader = io::BufReader::new(keyfile);
pemfile::pkcs8_private_keys(&mut reader)
.expect("file contains invalid pkcs8 private key (encrypted keys not supported)")
};
// prefer to load pkcs8 keys
if !pkcs8_keys.is_empty() {
Ok(pkcs8_keys[0].clone())
} else {
assert!(!rsa_keys.is_empty());
Ok(rsa_keys[0].clone())
}
}
I'm not sure if this will help you.
from hyper-rustls.
Thanks to @nwtgck it looks like there's an example for the original poster to follow. I would echo the suggestion of others to try and avoid openssl
if you're looking for easy to use tooling. mkcert
or rcgen
are likely going to give you a better user experience. The openssl command line tools are notoriously difficult to work with.
from hyper-rustls.
Related Issues (20)
- More elaborate custom server name HOT 1
- Cannot access peer certificates with example's TlsStream HOT 7
- `HttpsConnectorBuilder::enable_all_versions` doesn't enable ALPN for http/1.1 HOT 1
- Release TLSAcceptor HOT 2
- example of client with mutual tls HOT 3
- When used with a specified request the body is not decrypted HOT 2
- Getting ip address of connection HOT 1
- Creating an HTTPS connection using `HttpsConnectorBuilder` does not allow you to obtain the website's URL. HOT 1
- Hyper v1 compatibility HOT 12
- Release with rustls 0.22 support? HOT 5
- Release 0.25.0 without hyper 1 support? HOT 1
- Prepare v0.25 release, update to Rustls v0.22 HOT 5
- Prepare v0.26 release, update to Hyper 1.0 HOT 8
- v0.26 server example error: failed to serve connection: error shutting down connection HOT 2
- Add support for providing HttpConnector HOT 3
- Rust minimum version should be updated HOT 4
- 0.23.2 of rusttls HOT 3
- Expose feature flag to enable FIPS compliant build of AWS-LC. HOT 1
- Latest version (0.27.1) fails to build for `docs.rs` HOT 2
- wrong feature name for webpki? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hyper-rustls.