Client seems to ignore additional root certificates with default_tls/native_tls

[ctron]

Using reqwest 0.11.x, Linux and openssl, it looks to me as if additional root certificates are ignored:

Using:

client.add_root_certificate(pem);

I get:

error sending request for url (https://keycloak.drogue-dev.svc.cluster.local.:8443/auth/realms/master/protocol/openid-connect/token): error trying to connect: error:140943F2:SSL routines:ssl3_read_bytes:sslv3 alert unexpected message:ssl/record/rec_layer_s3.c:1544:SSL alert number 10

Switching the client to rustls makes it work:

 client = client.use_rustls_tls();

Also a test with openssl s_client -connect host:port -CAfile /path/to/certificate works

[blyxxyz]

I'm having the same issue (also on Linux). This program:

main.rs:

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let cert = std::fs::read("wildcard-self-signed.pem")?;
    let cert = reqwest::Certificate::from_pem(&cert)?;
    reqwest::blocking::Client::builder()
        .use_native_tls()
        .add_root_certificate(cert)
        .build()?
        .get("https://self-signed.badssl.com/")
        .send()?;
    Ok(())
}

Cargo.toml:

[package]
name = "cert-repro"
version = "0.1.0"
edition = "2018"

[dependencies.reqwest]
version = "0.11.3"
features = ["native-tls", "blocking", "rustls-tls"]

With wildcard-self-signed.pem

Gives:

reqwest::Error {
    kind: Request,
    url: Url {
        scheme: "https",
        cannot_be_a_base: false,
        username: "",
        password: None,
        host: Some(
            Domain(
                "self-signed.badssl.com",
            ),
        ),
        port: None,
        path: "/",
        query: None,
        fragment: None,
    },
    source: hyper::Error(
        Connect,
        Ssl(
            Error {
                code: ErrorCode(
                    1,
                ),
                cause: Some(
                    Ssl(
                        ErrorStack(
                            [
                                Error {
                                    code: 337047686,
                                    library: "SSL routines",
                                    function: "tls_process_server_certificate",
                                    reason: "certificate verify failed",
                                    file: "../ssl/statem/statem_clnt.c",
                                    line: 1913,
                                },
                            ],
                        ),
                    ),
                ),
            },
            X509VerifyResult {
                code: 18,
                error: "self signed certificate",
            },
        ),
    ),
}

It does not fail if .use_rustls_tls() is used.

[oribs1]

Seems like there is a specific code in reqwest to parse multiple certificates from the byte array given in case it is rust-tls. But in the case of native-tls, it just propagates it to native-tls which propagates it to openssl. And it seems OpenSSL will only take the first one from the list.