From d2814b5c3374f8b99a81dbb9fa3614c875cfc5e6 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Sun, 12 Apr 2020 19:00:30 +0200 Subject: TLS works \o/ So, the issues were: - webpki does not support IP addresses as DNS names in URLs, so I hacked the HttpsConnector to always provide a fixed string as the DNS name for server certificate validation - the certificate requied a SAN section which was complicated to build but eventually the solution is there in genkeys.sh --- src/rpc_client.rs | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'src/rpc_client.rs') diff --git a/src/rpc_client.rs b/src/rpc_client.rs index 247f114e..255eb958 100644 --- a/src/rpc_client.rs +++ b/src/rpc_client.rs @@ -8,7 +8,6 @@ use futures::stream::StreamExt; use futures_util::future::FutureExt; use hyper::client::{Client, HttpConnector}; use hyper::{Body, Method, Request, StatusCode}; -use hyper_rustls::HttpsConnector; use crate::data::*; use crate::error::Error; @@ -93,7 +92,7 @@ pub async fn rpc_call( pub enum RpcClient { HTTP(Client), - HTTPS(Client, hyper::Body>), + HTTPS(Client, hyper::Body>), } impl RpcClient { @@ -109,12 +108,11 @@ impl RpcClient { config.root_store.add(crt)?; } - config.set_single_client_cert([&ca_certs[..], &node_certs[..]].concat(), node_key)?; + config.set_single_client_cert([&node_certs[..], &ca_certs[..]].concat(), node_key)?; + // config.dangerous().set_certificate_verifier(Arc::new(tls_util::NoHostnameCertVerifier)); - let mut http_connector = HttpConnector::new(); - http_connector.enforce_http(false); let connector = - HttpsConnector::::from((http_connector, Arc::new(config))); + tls_util::HttpsConnectorFixedDnsname::::new(config, "garage"); Ok(RpcClient::HTTPS(Client::builder().build(connector))) } else { @@ -161,3 +159,4 @@ impl RpcClient { } } } + -- cgit v1.2.3