5

I am trying to implement implement HTTPS server using Rustls with Hyper, but am not able to get proper example of how to implement the same. And for that i have followed and tried example given on hyper-rustls repository here (Hyper Rustls server example)

It always gives this error

FAILED: error accepting connection: TLS Error: Custom { kind: InvalidData, error: AlertReceived(CertificateUnknown) }

I am completely new to Rust and hence don't know how to properly implement the HTTPS over Hyper. I also gone through question related to this here

But still not able to find the solution. If more information is required do let me know for the same.

kanudo
  • 2,119
  • 1
  • 17
  • 33

1 Answers1

5

It looks like your problem is not with Hyper or Rust, it is with TLS. By default, when you establish connection via HTTPS, client verifies server certificate authenticity. The certificate needs to be signed by a trusted authority: for details, see, for example, this page.

To verify, use curl:

$ curl https://localhost:1337/echo -X POST -v --insecure
...
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
...
< HTTP/2 200 
< date: Sun, 12 Apr 2020 12:45:03 GMT
<

So this works fine. If you remove --insecure flag, curl will refuse to establish connection:

$ curl https://localhost:1337/echo -X POST -v
...
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

To fix this, you need to either:

  1. Use a properly-signed certificate instead of a self-signed one, or
  2. Configure your client not to verify certificate, or
  3. Configure your client to trust your particular self-signed certificate.

In production, your only choice is (1). While you are developing, you can get away with (2) or (3).

kreo
  • 2,613
  • 2
  • 19
  • 31
  • 2
    Actually I was initially using properly-signed certificate from some SSL provider but it was not working with this code. Then I found that the problem was with `rsa_private_keys()` function of `rustls` as it only works on RSA private keys. Instead I used `pkcs8_private_keys()` from `rustls` as my key was beginning with "-----BEGIN PRIVATE KEY-----" instead of "-----BEGIN RSA PRIVATE KEY-----" and, amazing that was the real problem that I was facing. Now it worked just perfectly with my real SSL certificate and thus the HTTPS works perfectly. Many thanks for you helps. – kanudo Apr 12 '20 at 16:54