Description
Dear All,
I'm trying to implement a toy application that exposes a restAPI over https using openssl backend.
The application requires but accepts any client certificate (SslVerifyMode::PEER flag), uses a "always-true" verifiy_callback in order to continue the tls negotiation and finally calls the service in order to perform some check.
Using the same CA for the server and the client (cURL) all works well. cURL performs the GET, TLS works fine, and cURL receives a pretty hello message with certificate details. Using different CAs (and certificates) on server and client, cURL receives a connection reset when Http2 is used, instead all works fine with http1.1
I pushed the test application here:
https://github.com/comio/openssl_test
(I'm just starting to learn rust and actix-web, be patient!)
Expected Behavior
the Client shouldn't receive reset from server when different CAs are used and http2 is used.
Current Behavior
the Client receives connection reset.
Steps to Reproduce (for bugs)
- git clone https://github.com/comio/openssl_test
- cd openssl_test
- cargo build
- Start the server: cargo run -- --bind=0:8443 --tls --cert=test/server.crt --key=test/server.key --ca=test/ca.crt
On another console: - cd openssl_test/test
- Test with same CA: ./get_status_ssl_same_ca.sh https://server:8443 TOKEN -v -v --http1.1 => OK
- Test with same CA: ./get_status_ssl_same_ca.sh https://server:8443 TOKEN -v -v --http2 => OK
- Test with different CA: ./get_status_ssl.sh https://server:8443 TOKEN -v -v --http1.1 => OK
- Test with different CA: ./get_status_ssl.sh https://server:8443 TOKEN -v -v --http2 => FAIL
Environment
- Rust Version: rustc 1.85.1 (4eb161250 2025-03-15) (gentoo)
- Actix Web Version: v4.10
- rust openssl Version: v0.10
- system OpenSSL Version: v3.4.1
- curl Version: v8.13.0