New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client seems to ignore additional root certificates with default_tls/native_tls #1260
Comments
I'm having the same issue (also on Linux). This program:
fn main() -> Result<(), Box<dyn std::error::Error>> {
let cert = std::fs::read("wildcard-self-signed.pem")?;
let cert = reqwest::Certificate::from_pem(&cert)?;
reqwest::blocking::Client::builder()
.use_native_tls()
.add_root_certificate(cert)
.build()?
.get("https://self-signed.badssl.com/")
.send()?;
Ok(())
}
[package]
name = "cert-repro"
version = "0.1.0"
edition = "2018"
[dependencies.reqwest]
version = "0.11.3"
features = ["native-tls", "blocking", "rustls-tls"] Gives: reqwest::Error {
kind: Request,
url: Url {
scheme: "https",
cannot_be_a_base: false,
username: "",
password: None,
host: Some(
Domain(
"self-signed.badssl.com",
),
),
port: None,
path: "/",
query: None,
fragment: None,
},
source: hyper::Error(
Connect,
Ssl(
Error {
code: ErrorCode(
1,
),
cause: Some(
Ssl(
ErrorStack(
[
Error {
code: 337047686,
library: "SSL routines",
function: "tls_process_server_certificate",
reason: "certificate verify failed",
file: "../ssl/statem/statem_clnt.c",
line: 1913,
},
],
),
),
),
},
X509VerifyResult {
code: 18,
error: "self signed certificate",
},
),
),
} It does not fail if |
Seems like there is a specific code in reqwest to parse multiple certificates from the byte array given in case it is rust-tls. But in the case of native-tls, it just propagates it to native-tls which propagates it to openssl. And it seems OpenSSL will only take the first one from the list. |
Using
reqwest
0.11.x, Linux andopenssl
, it looks to me as if additional root certificates are ignored:Using:
I get:
Switching the client to
rustls
makes it work:Also a test with
openssl s_client -connect host:port -CAfile /path/to/certificate
worksThe text was updated successfully, but these errors were encountered: