search

sfackler / rust-native-tls

Apache License 2.0
474 stars 199 forks source link

Handling of errSSLPeerAuthCompleted and other non-fatal error codes #205

Open 0xADD1E opened 3 years ago

0xADD1E commented 3 years ago

When attempting to do peer authentication with a macOS client, an error gets raised corresponding with errSSLPeerAuthCompleted. This shouldn't actually be raised, should it? (For reference, errSSLPeerAuthCompleted is explicitly described as a non-fatal result, and seems to occur as a normal part of peer authentication)

sfackler commented 3 years ago

Yeah, you should not be seeing an errSSLPeerAuthCompleted. Could you put together a small self contained example that hits that error?

ragoso commented 1 year ago

Hi, I'm getting the same "peer cert is valid, or was ignored if verification disabled" error from using reqwest with the "native-tls" feature on a MacOS M1.

My implementation loads a PKCS12 as an identity to send in the request.

Investigating, I found this line in the reqwest project that indicates the use of tokio_native_tls.

https://github.com/seanmonstar/reqwest/blob/7e7b116a134cc0d6d646ab316dd83976369d5298/src/connect.rs#LL245C37-L245C53

It seems to be something with this comment on Apple's SecureTransport.h.

  * errSSLPeerAuthCompleted: Peer's cert chain is valid, or was ignored if
  * cert verification was disabled via SSLSetEnableCertVerify. The application
  * may decide to continue with the handshake (by calling SSLHandshake
  * again), or close the connection at this point.

Example

let mut buf = Vec::new();
File::open("serpro.pfx")?
.read_to_end(&mut buf)?;

let identity = Identity::from_pkcs12(&buf, "1234").unwrap();
let connector = native_tls::TlsConnector::builder()
    .identity(identity)
    .danger_accept_invalid_certs(true)
    .danger_accept_invalid_hostnames(true)
    .build()
    .unwrap();

let stream = TcpStream::connect("hom1.nfe.fazenda.gov.br:443").unwrap();
let mut stream = connector.connect("hom1.nfe.fazenda.gov.br", stream).unwrap();
//https://hom1.nfe.fazenda.gov.br/NFeDistribuicaoDFe/NFeDistribuicaoDFe.asmx
stream.write_all(b"GET /NFeDistribuicaoDFe/NFeDistribuicaoDFe.asmx HTTP/1.0\r\n\r\n").unwrap();
let mut res = vec![];
stream.read_to_end(&mut res).unwrap();
println!("{}", String::from_utf8_lossy(&res));

Deps: 

reqwest = { version = "0.11.17", features = ["native-tls"] }

@sfackler

ragoso commented 1 year ago

Hey guys,

this PR at security-framework solves this problem. Release 2.9.1