-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot access peer certificates with example's TlsStream #198
Comments
I will add some info on what I tried. One of the things I tried is exposing the state object in the hopes that inside impl Accept for TlsAcceptor {
// type Conn = TlsStream;
type Conn = tokio_rustls::server::TlsStream<AddrStream>;
type Error = io::Error;
fn poll_accept(
self: Pin<&mut Self>,
cx: &mut Context<'_>,
) -> Poll<Option<Result<Self::Conn, Self::Error>>> {
let pin = self.get_mut();
match ready!(Pin::new(&mut pin.incoming).poll_accept(cx)) {
Some(Ok(sock)) => {
let mut accept = tokio_rustls::TlsAcceptor::from(pin.config.clone()).accept(sock);
match ready!(Pin::new(&mut accept).poll(cx)) {
Ok(stream) => Poll::Ready(Some(Ok(stream))),
Err(e) => Poll::Ready(Some(Err(e))),
}
// Poll::Ready(Some(Ok(TlsStream::new(sock, pin.config.clone()))))
}
Some(Err(e)) => Poll::Ready(Some(Err(e))),
None => Poll::Ready(None),
}
}
} Which reads like it would work, and after changing my |
I've been struggling with this too. Now that the If someone can describe how to make the connection available for the request, I'd be happy to put together a PR for the above. Note: @moshec2's |
By the way, from what I understood, to make this work you need to save the accept future you get from the acceptor on the struct and keep polling it, in my code it polls it once and that's it reaches a weird invalid state. I did not finish implementing this though since I moved to using |
@djc That is necessary, but not sufficient. I had that exact change in my local setup, but as @moshec2 describes, attempting to access that in the let service = make_service_fn(move |conn: &TlsStream| {
let peer_cert = match conn.get_ref() {
// This branch is never called, because `.get_ref()` always returns `None`
Some((_, session)) => session
.peer_certificates()
.and_then(|certs| certs.first())
.cloned(),
None => None,
}; You can't carry the As @moshec2 points out, there appears to be additional work needed for this acceptor implementation to have a usable |
Unfortunately with hyper's traits it's pretty hard to set this up in a clean way. If someone wants to copy over a bunch of tls-listener code into hyper-rustls I'm open to reviewing it, but I won't have time to work on this myself. |
In the example's TlsStream, you cannot access the peer certificates from tokio_rustls's TlsStream in
make_service_fn
, even if you try to expose the state property, it's basically always Handshaking. Is there some way to change the example so you could wait until the handshaking is over so you can access this?The text was updated successfully, but these errors were encountered: