Legacy PKCS12 TLS Support

I'm trying to write an HTTPS server that uses a legacy format of PFX (pkcs#12 aka .p12) identity files for TLS.

From attempting to with the native_tls example structure (see code below), I find that it doesn't support this.

In a situation where I'm forced to use this format of a certificate for a client that cannot be modified, how would one go about this? I'm doing this for a learning experience, but seeing that this is a totally reasonable situation to find yourself at an odd job, what do you do?

use native_tls::{Identity, TlsAcceptor, TlsStream};
use std::fs::File;
use std::io::Read;
use std::io::{prelude::*, BufReader};
use std::net::{TcpListener, TcpStream};
use std::sync::Arc;
use std::thread;

fn handle_connection(mut stream: TlsStream<TcpStream>) {
    let buf_reader = BufReader::new(&mut stream);
    let http_request: Vec<_> = buf_reader.lines().map(|result| result.unwrap()).take_while(|line| !line.is_empty()).collect();

    println!("Request: {:#?}", http_request);

fn main() {
    let mut file = File::open("root.pfx").unwrap();
    let mut identity = vec![];
    file.read_to_end(&mut identity).unwrap();
    let identity = Identity::from_pkcs12(&identity, "").unwrap();

    let listener = TcpListener::bind("").unwrap();
    let acceptor = TlsAcceptor::new(identity).unwrap();
    let acceptor = Arc::new(acceptor);

    for stream in listener.incoming() {
        match stream {
            Ok(stream) => {
                let acceptor = acceptor.clone();
                thread::spawn(move || {
                    let stream = acceptor.accept(stream).unwrap();
            Err(e) => { /* connection failed */ }


Trying to compile this.

thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Normal(ErrorStack([Error { code: 621174887, library: "DSO support routines", function: "dlfcn_load", reason: "could not l
oad the shared library", file: "crypto/dso/dso_dlfcn.c", line: 118, data: "filename(libproviders.so): libproviders.so: cannot open shared object file: No such file or directory" }, Error { code
: 621215847, library: "DSO support routines", function: "DSO_load", reason: "could not load the shared library", file: "crypto/dso/dso_lib.c", line: 162 }, Error { code: 235360366, library: "co
nfiguration file routines", function: "module_load_dso", reason: "error loading dso", file: "crypto/conf/conf_mod.c", line: 224, data: "module=providers, path=providers" }, Error { code: 235364
465, library: "configuration file routines", function: "module_run", reason: "unknown module name", file: "crypto/conf/conf_mod.c", line: 165, data: "module=providers" }, Error { code: 58771876
4, library: "PKCS12 routines", function: "PKCS12_verify_mac", reason: "mac absent", file: "crypto/pkcs12/p12_mutl.c", line: 157 }, Error { code: 587718764, library: "PKCS12 routines", function:
 "PKCS12_verify_mac", reason: "mac absent", file: "crypto/pkcs12/p12_mutl.c", line: 157 }, Error { code: 587686001, library: "PKCS12 routines", function: "PKCS12_parse", reason: "mac verify fai
lure", file: "crypto/pkcs12/p12_kiss.c", line: 66 }]))', src/main.rs:20:57
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

(I'm guessing this means it's not supported, but maybe I'm doing something else wrong)

The certificate is generated like this:

# Generate certificate
openssl req -newkey rsa:2048 -nodes -keyout root.key -x509 -days 3650 -out root.crt -subj "/CN=Root Cert"
# Put into legacy PFX format for client
openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inkey root.key -in root.crt -out root.pfx

For more detail on why I'm doing this, read my previous post.

Unfortunately, that is the quality of error messages you get out of OpenSSL.

A quick Google search for 336130204 gives this SO question: c++ - Boost.Asio SSL error on HTTP request with error message "http request" - Stack Overflow

If I'm reading it correctly, this error code means that a plain HTTP request is arriving on your HTTPS port. Try typing https://localhost:8443/ instead.

This made me realize I have a few issues in my post, I didn't generate the right cert and now I found out my server is missing some things needed for the crate to work. I'll do a updated post if I don't figure this out. Thanks for trying though!

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.