Newbie to Rust but have implemented mTLS in several other languages previously.
My ultimate objective is to get a Rust gRPC client to talk to an existing (production) Python gRPC server using mTLS. I have spent a number of hours banging my head against TLS errors. Generated a fresh x509v3 stack as below, getting invalid peer certificate: UnknownIssuer. For some reason it isn't liking the (self-signed) CA which I signed the client and/or server certificate with. Help please!
Yes. I'm getting zero logging server-side and I haven't figured out how to enable more verbose logging. I think the issue is with the client validating the server certificate - it is signed by the CA which is being passed into the client TLS config so in theory it should work:
% openssl verify -verbose -CAfile ca-v3.pem localhost-v3.pem
localhost-v3.pem: OK
What library are you using? It looks like those tls config types aren't directly from rustls
Correct, I'm using tonic, which is a gRPC library using rustls under the hood. I have, however, used the raw rustls client tlsclient-mio and got the same result:
I think from a rustls perspective you need to add your self signed CA as a trusted root as shown in the getting started section on the rustls docs with the RootCertStore
Thanks @semicoleon. Your suggestion isn't the solution but it led me down a useful path, which I'll document here in case it's useful to anyone. tonic is ultimately wrapping RootCertStore when it sets up its config. I stepped through tonic, tokio-rustls, and rustls to verify that the client was indeed checking the certificate it received from the server against the CA cert that I specified. I believe I am correctly configuring the client/server in Rust.
This then led me to find that the original error being thrown was UnsupportedSignatureAlgorithm, which is getting swallowed further up the chain and being displayed, somewhat unhelpfully, as UnknownIssuer. Further digging suggests that my homespun CA is signing with an algorithm which rustls doesn't support (rustls/verify.rs at 411a65d7367bed6e5c90ed4bfa000334536e68ae · rustls/rustls · GitHub).
I haven't yet figured out the right invocation to openssl to produce a signed cert which satisfies this check, but I'm working on it (help welcomed :-).
You might try specifying the generated key type and size to make sure that matches a supported option. You could also try the -digest flag on req. Unfortunately it's been awhile since I've used the openssl CLI so that's all I've got
I've given up trying to modify my openssl CA stack to satisfy rustls, after burning yet more time on that. I've instead picked up their example stack from rustls/test-ca at main · rustls/rustls · GitHub and started using that, and the client & server are happily communicating. I haven't yet attempted to figure out why that stack succeeds where mine fails .