TlsConnector with Client Cert and CA not working. (CA Issue)

I am trying to modify redis-rs to support Client Auth and CA. That partly works for ClientAuth but not for CA.

                    TlsConnector::builder()
                        .identity(Identity::from_pkcs12(
                            &client_cert.der,
                            &client_cert.password,
                        )?)
                        .add_root_certificate(Certificate::from_pem(&ca.pem)?)
                        // .danger_accept_invalid_certs(true)
                        // .danger_accept_invalid_hostnames(true)
                        // .use_sni(false)
                        .build()?

If I enable danger_accept_invalid_certs then it works. Does not matter if I have add_root_certificate command. I create CA from_pem and from_der when I create cert with from_der I convert cert with

openssl x509 -in ca.crt -outform der -out ca.der

I can use these certs to connect with Go code. If do not use identity function then server rejects that connection. So I seems I use correct certificates. I experience issue with CA only.

You need to figure out exactly why it's failing by checking the TLS library's return status.

Does the TLS library validate domain names? Is SANs/CN correct?

1 Like

I get error:-

thread 'main' panicked at 'called Result::unwrap() on an Err value: Failure(Error { code: -67843, message: "The certificate was not trusted." })'

It does not matter if I enable or not danger_accept_invalid_hostnames So I expect CN is ok. It is redis server and I guess it has no CN. There is no issue with CN with Go code.

I am new to rust and I am not sure what direction I should dig.

What are you passing to connector.connect? The CN needs to match this domain/ip. What is the certificate chain used by the server? It needs to include the CA certificate (ca.pem here) as well as the server certificate with the right CN.

1 Like

I created certificates with redis test script

                    let tcp = TcpStream::connect((host, port))?;
                    tls_connector.connect(host, tcp).unwrap()

The server certificate has a CN of Server-only, but given that danger_accept_invalid_hostnames doesn't solve the problem I would guess this is not the root issue. I wonder if the nsCertType has something to do with the problem: redis/gen-test-certs.sh at d67e66de72edc49a5493c963fd7cb97411165d8c · redis/redis · GitHub

Does it work if you use the redis cert instead of server cert on the server side and either pass Generic-cert to tls_connector.connect or enable danger_accept_invalid_hostnames.

1 Like

I am not sure I understand server vs redis certs. I have same certs on server and on client for auth.

      ca.crt
      ca.key
      ca.txt
      redis.crt
      redis.der
      redis.dh
      redis.key

It uses redis.crt, redis.key, ca.crt to start server and for clients. For rust client I converted redis.crt, redis.key in redis.der and server stopped to drop connection due to client auth. So redis.der is correctly setup. I get error The certificate was not trusted. It sounds like issue with ca I used ca.crt and converted ca.der. I still get same issue.

Then I am not sure what the problem is.

1 Like

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.