I'm trying to use this tokio_openssl connect method to connect to target server.
I notice that in openssl's connect method, it took domain argument while tokio_openssl take no domain name.
If I connect to target server via something like "127.0.0.1:1234" which have actual domain name as "TEST_DOMAIN", how do I use tokio_openssl to verify that the target IP have cert with "TEST_DOMAIN" as SN ?
For those who came into the same question that I have,
you can use this method and state the host name.
This can be done by following example way:
// construct SslConnector as per shown by openssl doc
tokio_openssl::SslStream::new(
ssl_connector.configure()?.into_ssl("TEST_DOMAIN")?,
tcp_stream
)
I found this workaround by digging into how SslConnector's connect method work in here:
pub fn connect<S>(&self, domain: &str, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
where
S: Read + Write,
{
self.configure()?.connect(domain, stream)
}
Reference: connector.rs - source
and since tokio_openssl need an object of type Ssl. The config object have this method which convert the connector into ssl with validate hostname enabled:
pub fn into_ssl(mut self, domain: &str) -> Result<Ssl, ErrorStack> {
if self.sni && domain.parse::<IpAddr>().is_err() {
self.ssl.set_hostname(domain)?;
}
if self.verify_hostname {
setup_verify_hostname(&mut self.ssl, domain)?;
}
Ok(self.ssl)
}
Reference: connector.rs - source
This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.