Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support MTLS #1727

Closed
howard0su opened this issue Oct 9, 2020 · 7 comments
Closed

Support MTLS #1727

howard0su opened this issue Oct 9, 2020 · 7 comments
Assignees
@robjtede
Labels
A-web project: actix-web C-feature Category: new functionality

Comments

@howard0su
Copy link

howard0su commented Oct 9, 2020
edited by robjtede

Support MTLS, the request handler is able to validate the certificate from the client.

If someone can point out the code to start with, I can try to do this task as well.
@robjtede robjtede added C-feature Category: new functionality A-web project: actix-web labels Oct 9, 2020
@robjtede
Copy link
Member

robjtede commented Oct 9, 2020

If possible, can you post some details/links about the rationale for this feature, some details just to spec this out and maybe some snippets of what the code should look like, ideally, when using the feature. Will help anyone looking into this about what is required.

@howard0su
Copy link
Author

Definition

When TLS server accept the client connection, it is optional to request the client present its own certificate. This is a feature supported in all TLS library. It can be enabled by the configuration of the TLS server.

Use Cases

This is common used feature when you are building a API server and the API server is using client certificate to authenticate itself to the server. It is common in the microservice architecture.

API

This is not proposal of API but rather a way to give the reader on how to use MTLS.

When setup TLS listener, the code need to specific one root certificate or a list of certificate so that the server will only accept a client certificate is trusted by those root certificate. Or the code can configure the server can accept the connection with/without the certificate as well.

In the handler, the server code can get the client certificate's information, including but not limiting to the subject, altname, thumbprint, if it is trusted by a predefined root certificates. Based on the information, the handler is able to return the different responses.

@robjtede
Copy link
Member

robjtede commented Oct 9, 2020
edited

Great, thanks for that.

If you want to have a go at implementing this, a good place to start is in the actix-server + actix-tls crates. It may be possible already to use this feature manually at that level. Check out https://github.com/actix/actix-net/blob/master/actix-tls/examples/basic.rs and perhaps see if it can be modified to achieve this result. If not, modifying one of those libraries will probably be the first step.

@howard0su
Copy link
Author

thank you for your suggestion. I will look into this.

@robjtede
Copy link
Member

robjtede commented Oct 9, 2020

Also potentially relevant for higher level work: #1482

This was referenced Oct 19, 2020
Closed
Closed
Merged
@robjtede
Copy link
Member

@howard0su I've made progress on exposing this in #1754. It can provide access to rustls::Certificate or openssl::x509::X509 and should be enough to support this use case.

@robjtede robjtede self-assigned this Oct 30, 2020
@robjtede
Copy link
Member

robjtede commented Oct 30, 2020
edited

actix-web v3.2 is released which exposes on_connect.

Example of extracting client certificate: https://github.com/actix/examples/tree/HEAD/rustls-client-cert

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@robjtede robjtede

Labels
A-web project: actix-web C-feature Category: new functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@howard0su @robjtede