Open 0xADD1E opened 3 years ago
Yeah, you should not be seeing an errSSLPeerAuthCompleted. Could you put together a small self contained example that hits that error?
Hi, I'm getting the same "peer cert is valid, or was ignored if verification disabled" error from using reqwest with the "native-tls" feature on a MacOS M1.
My implementation loads a PKCS12 as an identity to send in the request.
Investigating, I found this line in the reqwest project that indicates the use of tokio_native_tls.
It seems to be something with this comment on Apple's SecureTransport.h.
* errSSLPeerAuthCompleted: Peer's cert chain is valid, or was ignored if
* cert verification was disabled via SSLSetEnableCertVerify. The application
* may decide to continue with the handshake (by calling SSLHandshake
* again), or close the connection at this point.
Example
let mut buf = Vec::new();
File::open("serpro.pfx")?
.read_to_end(&mut buf)?;
let identity = Identity::from_pkcs12(&buf, "1234").unwrap();
let connector = native_tls::TlsConnector::builder()
.identity(identity)
.danger_accept_invalid_certs(true)
.danger_accept_invalid_hostnames(true)
.build()
.unwrap();
let stream = TcpStream::connect("hom1.nfe.fazenda.gov.br:443").unwrap();
let mut stream = connector.connect("hom1.nfe.fazenda.gov.br", stream).unwrap();
//https://hom1.nfe.fazenda.gov.br/NFeDistribuicaoDFe/NFeDistribuicaoDFe.asmx
stream.write_all(b"GET /NFeDistribuicaoDFe/NFeDistribuicaoDFe.asmx HTTP/1.0\r\n\r\n").unwrap();
let mut res = vec![];
stream.read_to_end(&mut res).unwrap();
println!("{}", String::from_utf8_lossy(&res));
Deps:
reqwest = { version = "0.11.17", features = ["native-tls"] }
@sfackler
When attempting to do peer authentication with a macOS client, an error gets raised corresponding with errSSLPeerAuthCompleted. This shouldn't actually be raised, should it? (For reference, errSSLPeerAuthCompleted is explicitly described as a non-fatal result, and seems to occur as a normal part of peer authentication)