Rustls not working

HashiramaSenjuhari · April 9, 2025, 4:52am

use std::env;
use std::error::Error as StdError;
use std::io::{Read, Write};
use std::net::TcpListener;
use std::sync::Arc;

use rustls::pki_types::pem::PemObject;
use rustls::pki_types::{CertificateDer, PrivateKeyDer};

fn main() -> Result<(), Box<dyn StdError>> {
    let mut args = env::args();
    args.next();
    let cert_file = args.next().expect("missing certificate file argument");
    let private_key_file = args.next().expect("missing private key file argument");

    let certs = CertificateDer::pem_file_iter(cert_file)
        .unwrap()
        .map(|cert| cert.unwrap())
        .collect();
    let private_key = PrivateKeyDer::from_pem_file(private_key_file).unwrap();
    let config = rustls::ServerConfig::builder()
        .with_no_client_auth()
        .with_single_cert(certs, private_key)?;

    let listener = TcpListener::bind(format!("127.0.0.1:{}", 7878)).unwrap();
    let (mut stream, _) = listener.accept()?;

    let mut conn = rustls::ServerConnection::new(Arc::new(config))?;
    conn.complete_io(&mut stream)?;

    conn.writer().write_all(b"Hello from the server")?;
    conn.complete_io(&mut stream)?;
    let mut buf = [0; 64];
    let len = conn.reader().read(&mut buf)?;
    println!("Received message from client: {:?}", &buf[..len]);

    Ok(())
}

Error: Custom { kind: InvalidData, error: AlertReceived(CertificateUnknown) }

certificate gen

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=localhost"

Cerber-Ursi · April 9, 2025, 5:11am

Sounds like "this is self-signed certificate, I can't trust it without you explicitly allowing it". What's the code that throws this error? Is this some client of yours?

HashiramaSenjuhari · April 9, 2025, 5:15am

i have opened https://127.0.0.1:7878 in browser and in server the error happens

kornel · April 9, 2025, 10:47am

Certificates are typically for specific host names, so 127.0.0.1 connection won't match a certificate issued for localhost.

sfackler · April 9, 2025, 4:18pm

The CN field is also deprecated and many things (I think including rustls) don't look at it. You need to set the IP and/or domain name as SAN entries in the certificate.

Topic		Replies	Views
Rustls failed tls handshake on private server with self signed cert help	2	598	October 4, 2024
Why does my HTTPS server written in Rust fail under testing with JMeter? help	6	311	July 14, 2024
Rustls and pem files: possibility of hard coding?	6	1164	February 24, 2024
Implementing HTTPS server using Rustls with Hyper help	5	4111	July 11, 2020
How do I generate keys with ring and load into rustls? help	1	1561	September 26, 2020

Rustls not working

Related topics