Closed WaylonTian closed 2 years ago
WaylonTian
commented
2 years ago There is another project that use your codes and provides a solution to generate certification files.
https://github.com/zu1k/good-mitm/blob/master/src/ca.rs
when using the generated files cert.crt and private.key in my code (main.rs which is the same as examples/log.rs), there is no error logs.
I am confused with it. I don't know the difference between these files.
WaylonTian
commented
2 years ago When using openssl generate key/crt files and use them in my code, no luck things happened.
openssl genrsa -out ca.key 2048 openssl req -new -in ca.key -out ca.scr openssl x509 -req -in ca.scr -signkey ca.key -extensions v3_ca -out ca.crt openssl pkcs8 -topk8 -inform pem -outform pem -nocrypt -in ca.key -out pkcs8.key
let mut private_key_bytes: &[u8] = include_bytes!("ca/pkcs8.key");
let mut ca_cert_bytes: &[u8] = include_bytes!("ca/ca.crt");
omjadas
commented
2 years ago Hmm, this is strange. I can confirm that the example cert/key (generated using openssl) don't seem to work when added to the OS trusted roots. My initial thought was that perhaps because the example cert doesn't specify Key Usage (I'm pretty sure if unspecified everything should be allowed) was the issue, however when I generated a new cert with it specified it still didn't work. I also tried messing around with the issuer a bit (because it seems like the issuer is not able to be found), to no avail. I am going to continue looking into this and see if I can't figure out what is causing the issue. The strange thing is when I verify one of the certificates generated by the proxy using openssl it says everything is OK.
omjadas
commented
2 years ago I have updated the example cert to one that works (created using rcgen), I am still confused as to why the CA certs generated using openssl are not working. I tried creating a cert using openssl that was the same as the one that is working (with only a slightly different validity period) and it still did not work.
zu1k
commented
2 years ago omjadas
commented
2 years ago Thanks for the reference @zu1k.
omjadas
commented
2 years ago @WaylonTian I have published v0.6.0 which includes multiple certificate authority implementations, one using rcgen, and another using openssl (enabled using the openssl-certs feature). When using the OpensslAuthority, root certs generated using openssl work correctly.
WaylonTian
commented
2 years ago @omjadas Thank you for your really very nice job. But I have another question(Sorry Im a newbie in rust/ssl/tls/openssl/rustls), we have already add rustls dependency to this project, can we solve this problem just by rustls(not depends on openssl library)?
omjadas
commented
2 years ago @omjadas Thank you for your really very nice job. But I have another question(Sorry Im a newbie in rust/ssl/tls/openssl/rustls), we have already add rustls dependency to this project, can we solve this problem just by rustls(not depends on openssl library)?
rustls does not provide certificate generation. As far as I know, rcgen and openssl are the two main libraries used for certificate generation in rust, if there are others I am not aware of, I could add additional implementations in the future.
I have made the openssl dependency optional (enabled using the openssl-certs feature), so I would probably only recommend using it if you are already using openssl in your project, or if the cert you are using does not work with rcgen.
Hopefully the rcgen issue will be fixed upstream.
WaylonTian
commented
2 years ago @omjadas Thank you for your really very nice job. But I have another question(Sorry Im a newbie in rust/ssl/tls/openssl/rustls), we have already add rustls dependency to this project, can we solve this problem just by rustls(not depends on openssl library)?
rustlsdoes not provide certificate generation. As far as I know,rcgenandopensslare the two main libraries used for certificate generation in rust, if there are others I am not aware of, I could add additional implementations in the future.I have made the
openssldependency optional (enabled using theopenssl-certsfeature), so I would probably only recommend using it if you are already usingopensslin your project, or if the cert you are using does not work withrcgen.Hopefully the
rcgenissue will be fixed upstream.
No wonder!Thanks.
Hi man, thank you for your project first.
But I'm stucked when running the log.rs in your examples directory.
I just copy src/example/log.rs to src/main.rs and src/example/ca to src/ca and add env_logger = "0.9" to [denpendencies] and then cargo run.
After install the hudsucker.pem to my computer ( Trusted Root Certification Authorities ) and setting my web proxy to 127.0.0.1:3000 , I got the error log:
thread 'tokio-runtime-worker' panicked at 'Failed to establish TLS connection with client: Custom { kind: InvalidData, error: AlertReceived(CertificateUnknown) }', C:\Users\forti\IdeaProjects\hudsucker\src\proxy.rs:137:30 [2021-11-03T05:46:55Z ERROR rustls::session] TLS alert received: Message { typ: Alert, version: TLSv1_3, payload: Alert( AlertMessagePayload { level: Fatal, description: CertificateUnknown, }, ), }Waiting for your response, thank you.