TlsConnector with Client Cert and CA not working. (CA Issue)

I am trying to modify redis-rs to support Client Auth and CA. That partly works for ClientAuth but not for CA.

                        // .danger_accept_invalid_certs(true)
                        // .danger_accept_invalid_hostnames(true)
                        // .use_sni(false)

If I enable danger_accept_invalid_certs then it works. Does not matter if I have add_root_certificate command. I create CA from_pem and from_der when I create cert with from_der I convert cert with

openssl x509 -in ca.crt -outform der -out ca.der

I can use these certs to connect with Go code. If do not use identity function then server rejects that connection. So I seems I use correct certificates. I experience issue with CA only.

You need to figure out exactly why it's failing by checking the TLS library's return status.

Does the TLS library validate domain names? Is SANs/CN correct?

1 Like

I get error:-

thread 'main' panicked at 'called Result::unwrap() on an Err value: Failure(Error { code: -67843, message: "The certificate was not trusted." })'

It does not matter if I enable or not danger_accept_invalid_hostnames So I expect CN is ok. It is redis server and I guess it has no CN. There is no issue with CN with Go code.

I am new to rust and I am not sure what direction I should dig.

What are you passing to connector.connect? The CN needs to match this domain/ip. What is the certificate chain used by the server? It needs to include the CA certificate (ca.pem here) as well as the server certificate with the right CN.

1 Like

I created certificates with redis test script

                    let tcp = TcpStream::connect((host, port))?;
                    tls_connector.connect(host, tcp).unwrap()

The server certificate has a CN of Server-only, but given that danger_accept_invalid_hostnames doesn't solve the problem I would guess this is not the root issue. I wonder if the nsCertType has something to do with the problem: redis/ at d67e66de72edc49a5493c963fd7cb97411165d8c · redis/redis · GitHub

Does it work if you use the redis cert instead of server cert on the server side and either pass Generic-cert to tls_connector.connect or enable danger_accept_invalid_hostnames.

1 Like

I am not sure I understand server vs redis certs. I have same certs on server and on client for auth.


It uses redis.crt, redis.key, ca.crt to start server and for clients. For rust client I converted redis.crt, redis.key in redis.der and server stopped to drop connection due to client auth. So redis.der is correctly setup. I get error The certificate was not trusted. It sounds like issue with ca I used ca.crt and converted ca.der. I still get same issue.

Then I am not sure what the problem is.

1 Like