Comments (6)
Thanks cpu , Its working . I have added the crl support at client side also in custom_verifier below to check the revocation status of server cert chain.
let custom_verifier =
WebPkiServerVerifier::builder_with_provider(server_auth_root.into(), provider.clone())
**.with_crls(crls.clone())**
.build()
.unwrap();
let config = rustls::ClientConfig::builder_with_provider(provider)
.with_protocol_versions(&[&rustls::version::TLS13])
.unwrap()
.with_webpki_verifier(custom_verifier)
.with_no_client_auth();
from rustls.
@pranaw215 you can use the custom provider for both -- it's just that you weren't customizing the CryptoProvider
used for the ClientConfig
(directly) previously which would cause this issue.
from rustls.
Hi there,
I have configured the cipher suites using below code.
let builder = WebPkiServerVerifier::builder_with_provider(...
The crypto provider used by the WebPkiServerVerifier
is not the one that determines the ciphersuites offered in the client hello of a TLS handshake. The verifier's crypto provider cipher_suites are specific to validating the signatures of presented certificate chains. Edit: Sorry, misspoke. This field would be ignored by the verifier, I was thinking of the signature_verification_algorithms
.
Try using ClientConfig::builder_with_provider
to ensure that the ClientConfig
uses the same customized crypto provider. There's a complete example of doing this in limitedclient.rs if that's helpful.
from rustls.
Hi there,
I have configured the cipher suites using below code.
let builder = WebPkiServerVerifier::builder_with_provider(...The crypto provider used by the
WebPkiServerVerifier
is not the one that determines the ciphersuites offered in the client hello of a TLS handshake.The verifier's crypto provider cipher_suites are specific to validating the signatures of presented certificate chains.Edit: Sorry, misspoke. This field would be ignored by the verifier, I was thinking of thesignature_verification_algorithms
.Try using
ClientConfig::builder_with_provider
to ensure that theClientConfig
uses the same customized crypto provider. There's a complete example of doing this in limitedclient.rs if that's helpful.
Hi ,
I used [ClientConfig::builder_with_provider] and the configured cipher is working there , But I want the CRL support also.
Can you please point the example where CRL support is also there in the example.
from rustls.
Can you please point the example where CRL support is also there in the example.
We only have an example using CRLs for verifying client certificates as a server. It looks like you're trying to do the inverse and have a client check revocation status for the server.
Something like this diff to limitedclient.rs
should be a good starting point for using a custom provider for both the client config and the verifier:
diff --git a/examples/src/bin/limitedclient.rs b/examples/src/bin/limitedclient.rs
index 62443cae..fcaeafa3 100644
--- a/examples/src/bin/limitedclient.rs
+++ b/examples/src/bin/limitedclient.rs
@@ -2,6 +2,7 @@
//! so that unused cryptography in rustls can be discarded by the linker. You can
//! observe using `nm` that the binary of this program does not contain any AES code.
+use rustls::client::WebPkiServerVerifier;
use std::io::{stdout, Read, Write};
use std::net::TcpStream;
use std::sync::Arc;
@@ -15,18 +16,22 @@ fn main() {
.cloned(),
);
- let config = rustls::ClientConfig::builder_with_provider(
- CryptoProvider {
- cipher_suites: vec![provider::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256],
- kx_groups: vec![provider::kx_group::X25519],
- ..provider::default_provider()
- }
- .into(),
- )
- .with_protocol_versions(&[&rustls::version::TLS13])
- .unwrap()
- .with_root_certificates(root_store)
- .with_no_client_auth();
+ let provider = Arc::new(CryptoProvider {
+ cipher_suites: vec![provider::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256],
+ kx_groups: vec![provider::kx_group::X25519],
+ ..provider::default_provider()
+ });
+
+ let custom_verifier =
+ WebPkiServerVerifier::builder_with_provider(root_store.into(), provider.clone())
+ .build()
+ .unwrap();
+
+ let config = rustls::ClientConfig::builder_with_provider(provider)
+ .with_protocol_versions(&[&rustls::version::TLS13])
+ .unwrap()
+ .with_webpki_verifier(custom_verifier)
+ .with_no_client_auth();
let server_name = "www.rust-lang.org".try_into().unwrap();
let mut conn = rustls::ClientConnection::new(Arc::new(config), server_name).unwrap();
from rustls.
I'm going to close this since we've figured out the problem causing the unexpected cipher suites in the hello. If you have any further questions feel free to comment or open a new issue.
Thanks!
from rustls.
Related Issues (20)
- 0.23 docs build is broken HOT 2
- optimize receiving data with TLS 1.2 and aes-128-gcm HOT 1
- optimize receiving data with TLS 1.3 and aes-256-gcm
- optimize server-side full handshakes for TLS 1.2 and 1.3 HOT 1
- Connection::dangerous_extract_secrets returns ConnectionTrafficSecrets::Aes128Gcm even when AES-256-GCM is negotiated
- Error: badRecordMac HOT 4
- rand_core::RngCore & CryptoRng support for CryptoProvider HOT 7
- expose more information in ClientHello HOT 4
- No common ciphersuit when FFDHE and ECDHE ciphersuites are available on server and client using TLS 1.2 HOT 4
- US Export control information HOT 4
- doc: AcceptedAlert::write doesn't necessarily write all bytes HOT 7
- Support using rustls without using specific ring or aws-lc-rs apis HOT 2
- Feature request: a way to set/get default ticketer dynamically HOT 6
- Feature Request: Avoid panicking when ring and aws_lc_rs are both specified HOT 19
- Option to Relax SNI Host Name Validation for IP Addresses HOT 7
- unbuffered: B: `CapacityBuffer` for `output_tls.capacity()` HOT 9
- The support for "mipsel-unknown-linux-musl" has failed. HOT 2
- Io(Custom { kind: InvalidData, error: AlertReceived(HandshakeFailure) }) HOT 6
- Linux compilation is slow and seems unable to store compilation results HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rustls.