TLS 1.0 Support Actix

caret · June 7, 2023, 5:39am

I need to implement a actix_web TLS 1.0 webserver. I'm currently using rustls and just discovered it doesn't support this.

My code is as follows:

fn load_rustls_config() -> rustls::ServerConfig {
    // init server config builder with safe defaults
    let config = ServerConfig::builder().with_safe_defaults().with_no_client_auth();

    // load TLS key/cert files
    let cert_file = &mut BufReader::new(File::open("./certs/root.crt").expect("Certificate not found!"));
    let key_file = &mut BufReader::new(File::open("./certs/root.key").expect("Key not found!"));

    // convert files to key/cert objects
    let cert_chain = certs(cert_file).unwrap().into_iter().map(Certificate).collect();
    let mut keys: Vec<PrivateKey> = pkcs8_private_keys(key_file).unwrap().into_iter().map(PrivateKey).collect();

    // exit if no keys could be parsed
    if keys.is_empty() {
        eprintln!("Could not locate PKCS 8 private keys.");
        std::process::exit(1);
    }

    config.with_single_cert(cert_chain, keys.remove(0)).unwrap()
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
    let config = load_rustls_config();
    info!("Certificates loaded.");
    println!("Started!");
    HttpServer::new(|| {
        App::new()
            .service(test)
            .route("{path:.*}", web::get().to(index))
    })
    .bind("0.0.0.0:80")?
    .bind("0.0.0.0:5107")?
    .bind_rustls("0.0.0.0:443", config)?
    .run()
    .await
}

I don't know how to go about converting this or using a different library. Is it even possible to do this? Just thought I'd ask to make sure I won't go down a rabbit hole that leads nowhere.

xfix · June 7, 2023, 8:27am

You may be able to use bind_openssl rather than bind_rustls (with a configuration to enable TLS 1.0). rustls intentionally doesn't support TLS 1.0 because it's insecure and obsolete. Alternatively you may be able to set up a reverse proxy like nginx in front.

Note that if your website needs to comply with PCI, supporting TLS 1.0 is a PCI violation. Additionally, at this point there are pretty much no web browsers that only support TLS 1.0, it's mostly malicious bots, so unless you have a very specific need I would discourage configuring TLS 1.0 support.

system · September 5, 2023, 8:28am

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.