-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support MTLS #1727
Comments
If possible, can you post some details/links about the rationale for this feature, some details just to spec this out and maybe some snippets of what the code should look like, ideally, when using the feature. Will help anyone looking into this about what is required. |
DefinitionWhen TLS server accept the client connection, it is optional to request the client present its own certificate. This is a feature supported in all TLS library. It can be enabled by the configuration of the TLS server. Use CasesThis is common used feature when you are building a API server and the API server is using client certificate to authenticate itself to the server. It is common in the microservice architecture. APIThis is not proposal of API but rather a way to give the reader on how to use MTLS. When setup TLS listener, the code need to specific one root certificate or a list of certificate so that the server will only accept a client certificate is trusted by those root certificate. Or the code can configure the server can accept the connection with/without the certificate as well. In the handler, the server code can get the client certificate's information, including but not limiting to the subject, altname, thumbprint, if it is trusted by a predefined root certificates. Based on the information, the handler is able to return the different responses. |
Great, thanks for that. If you want to have a go at implementing this, a good place to start is in the actix-server + actix-tls crates. It may be possible already to use this feature manually at that level. Check out https://github.com/actix/actix-net/blob/master/actix-tls/examples/basic.rs and perhaps see if it can be modified to achieve this result. If not, modifying one of those libraries will probably be the first step. |
thank you for your suggestion. I will look into this. |
Also potentially relevant for higher level work: #1482 |
@howard0su I've made progress on exposing this in #1754. It can provide access to |
actix-web v3.2 is released which exposes Example of extracting client certificate: https://github.com/actix/examples/tree/HEAD/rustls-client-cert |
Support MTLS, the request handler is able to validate the certificate from the client.
If someone can point out the code to start with, I can try to do this task as well.
The text was updated successfully, but these errors were encountered: