"BadDER" error when connecting using a client cert on Kristall
Alch-Emi opened this issue · 0 comments
This issue is referring to the crash referenced by #3, wherein any authenticated connections from Kristall to northstar crash with the error
[2020-11-22T01:47:23Z ERROR northstar] Failed to establish TLS session
Caused by:
invalid certificate: BadDER
As best as I can tell, the backtrace for this error looks something like this: (all line numbers are as of 0ca71e4)
- error caught & printed in the lambda in
Server::serve()
(lib.rs:60) - Error caused by a failed handshake in
tokio_rustls::TlsAcceptor::accept()
inServer::serve_client()
(lib.rs:69) - This in turn is caused by a failed call to
webpki::EndEntityCert::from()
, although I'm not sure where from - This method is backed by a call to the internal function
webpki::cert::parse_cert_internal()
, but why exactly is anyone's guess
parse_cert_internal()
throws webpki::Error::BadDER
a million and one times throughout it's execution, and it would be a real hassle to figure out which on is ours. I'm honestly kinda stumped on how to go about debugging this or asking for help, since I'm assuming:
- Kristall devs would turn us away because their client works with all the other servers
- rustls devs would turn us away because accepting client certs without a central trust authority isn't officially supported behaviour
- webpki devs would turn us away because this is such a niche issue (This specific go client connecting to this specific library with a self-signed client certificate in order to use this pretty obscure smallnet protocol causes a crash)
But honestly I don't know enough about whatever a DER file is supposed to look like to go through and identify if the certificate is invalid or if there's an issue with the stream or if there's an issue with the client library.
Any ideas on how to move forward? Kristall is the only GUI client supporting client certs (afaik), and definitely the most popular one, so I'd hate to release an app that couldn't support it, but at the same time, where the hell even is this bug???
Recreation Details
- Generate server certs using the command in the README
- Run the
certificates
example (although this should work with any program that prompts the user to connect with a client cert) - Connect with Kristall, and activate a client certificate.
- Connection should timeout, and an error should appear in the server log.
I am using this Cargo.lock, and Kristall version v0.3, built and run on Fedora 33