CertificateUnknown error occured when running the log.rs
WaylonTian opened this issue · 10 comments
Hi man, thank you for your project first.
But I'm stucked when running the log.rs in your examples directory.
I just copy src/example/log.rs to src/main.rs and src/example/ca to src/ca and add env_logger = "0.9" to [denpendencies] and then cargo run.
After install the hudsucker.pem to my computer ( Trusted Root Certification Authorities ) and setting my web proxy to 127.0.0.1:3000 , I got the error log:
thread 'tokio-runtime-worker' panicked at 'Failed to establish TLS connection with client: Custom { kind: InvalidData, error: AlertReceived(CertificateUnknown) }', C:\Users\forti\IdeaProjects\hudsucker\src\proxy.rs:137:30 [2021-11-03T05:46:55Z ERROR rustls::session] TLS alert received: Message { typ: Alert, version: TLSv1_3, payload: Alert( AlertMessagePayload { level: Fatal, description: CertificateUnknown, }, ), }
Waiting for your response, thank you.
There is another project that use your codes and provides a solution to generate certification files.
https://github.com/zu1k/good-mitm/blob/master/src/ca.rs
when using the generated files cert.crt
and private.key
in my code (main.rs which is the same as examples/log.rs), there is no error logs.
I am confused with it. I don't know the difference between these files.
When using openssl generate key/crt files and use them in my code, no luck things happened.
openssl genrsa -out ca.key 2048
openssl req -new -in ca.key -out ca.scr
openssl x509 -req -in ca.scr -signkey ca.key -extensions v3_ca -out ca.crt
openssl pkcs8 -topk8 -inform pem -outform pem -nocrypt -in ca.key -out pkcs8.key
let mut private_key_bytes: &[u8] = include_bytes!("ca/pkcs8.key");
let mut ca_cert_bytes: &[u8] = include_bytes!("ca/ca.crt");
Hmm, this is strange. I can confirm that the example cert/key (generated using openssl) don't seem to work when added to the OS trusted roots. My initial thought was that perhaps because the example cert doesn't specify Key Usage
(I'm pretty sure if unspecified everything should be allowed) was the issue, however when I generated a new cert with it specified it still didn't work. I also tried messing around with the issuer a bit (because it seems like the issuer is not able to be found), to no avail. I am going to continue looking into this and see if I can't figure out what is causing the issue. The strange thing is when I verify one of the certificates generated by the proxy using openssl it says everything is OK.
I have updated the example cert to one that works (created using rcgen), I am still confused as to why the CA certs generated using openssl are not working. I tried creating a cert using openssl that was the same as the one that is working (with only a slightly different validity period) and it still did not work.
@WaylonTian I have published v0.6.0 which includes multiple certificate authority implementations, one using rcgen
, and another using openssl
(enabled using the openssl-certs
feature). When using the OpensslAuthority
, root certs generated using openssl work correctly.
@omjadas Thank you for your really very nice job. But I have another question(Sorry Im a newbie in rust/ssl/tls/openssl/rustls), we have already add rustls dependency to this project, can we solve this problem just by rustls(not depends on openssl library)?
@omjadas Thank you for your really very nice job. But I have another question(Sorry Im a newbie in rust/ssl/tls/openssl/rustls), we have already add rustls dependency to this project, can we solve this problem just by rustls(not depends on openssl library)?
rustls
does not provide certificate generation. As far as I know, rcgen
and openssl
are the two main libraries used for certificate generation in rust, if there are others I am not aware of, I could add additional implementations in the future.
I have made the openssl
dependency optional (enabled using the openssl-certs
feature), so I would probably only recommend using it if you are already using openssl
in your project, or if the cert you are using does not work with rcgen
.
Hopefully the rcgen
issue will be fixed upstream.
@omjadas Thank you for your really very nice job. But I have another question(Sorry Im a newbie in rust/ssl/tls/openssl/rustls), we have already add rustls dependency to this project, can we solve this problem just by rustls(not depends on openssl library)?
rustls
does not provide certificate generation. As far as I know,rcgen
andopenssl
are the two main libraries used for certificate generation in rust, if there are others I am not aware of, I could add additional implementations in the future.I have made the
openssl
dependency optional (enabled using theopenssl-certs
feature), so I would probably only recommend using it if you are already usingopenssl
in your project, or if the cert you are using does not work withrcgen
.Hopefully the
rcgen
issue will be fixed upstream.
No wonder!Thanks.