rustls failed to parse private key as RSA, EDSA or EdDSA

[havok4u]

I am using mysql and changed the default to use rustls mysql = { version = "25.0.0", default-features = false, features = ["default-rustls"] }

Can anyone tell me why I would get this error doing mtls Err(TlsError { unexpected error: failed to parse private key as RSA, ECDSA, or EdDSA })

I use these same certificates with the mysql client and in Golang and it works flawlessly.

[havok4u]

For additional context, here is the code snippet

      let client_identity = ClientIdentity::new(
            Path::new("/opt/mysql/certs/client.pem"),
            Path::new("/opt/mysql/certs/client.key")
        );
        let ssl_opts = SslOpts::default()
            .with_root_cert_path(Some(Path::new("/opt/mysql/certs/ca.crt")))
            .with_client_identity(Some(client_identity));
        let opts = OptsBuilder::new()
            .ip_or_hostname(Some("mysql.somedomain.com"))
            .user(Some("someuser"))
            .pass(Some("somepass"))
            .tcp_port(3306u16)
            .db_name(Some("mydb"))
            .ssl_opts(ssl_opts)
            .secure_auth(true);
        let p = Pool::new(opts)?;  <--- this is where things fail

Let me know if I am missing something here, but reading through the code for rustls, I don't think so.

[blackbeam]

Hi.

Fyi the error comes from here. It would be helpful to know which key do you actually use (RSA, ECDSA, or EdDSA) and in which format (Pkcs1, Pkcs8, sec1). Is in in pem or in der?

[havok4u]

We found that in the code. We use RSA and pem format. We did convert our pem to der and got the same problem. Interesting aside my coworker is using rustls in GRPC with certs gen'd from same source and he gets no problems using rustls (tonic uses rustls) for GRPC.

[havok4u]

another note, we switched out rustls back to default and it works. I'd like to see this work with rustls as it seems to be pretty most used. We wanted rustls cause it supports more modern TLS ciphers and protocols.

[blackbeam]

Interesting aside my coworker is using rustls in GRPC with certs gen'd from same source and he gets no problems using rustls (tonic uses rustls) for GRPC.

Just to clarify, which version of rustls?

We use RSA and pem format.

Still unclear what is inside of your pem-formatted file.

Can you please generate a random keypair and send it to me in the same format for investigation?

[havok4u]

So we figured it out, based on your above questions. This triggered my co-worker to question what format we actually had. Turns out we were pkcs8, thus we converted to pkcs1 (aka traditional) and it now works. Question is why does rustls not support the pkcs8 in this library? Because in the grpc mtls the pkcs8 (using rustls) does work.

And btw thank you for your quick responses, much appreciated.

[havok4u]

We dug into the code and when it comes to the mysql library calling rustls, it seems the call is statically defined for pkcs1. So as that was the way it was implemented, maybe this could be a feature request for pkcs8 support as well.

[havok4u]

Just an update, openssl now gens by default pkcs8 and it was mentioned on a google forum that the -traditional switch (which takes a pkcs8 and converts to pkcs1 is gone in current versions or going away.

[blackbeam]

@havok4u, hi. Can you please try the pkcs8 branch (#381) with your pkcs8 keys?