Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling of errSSLPeerAuthCompleted and other non-fatal error codes #205

Open
0xADD1E opened this issue Sep 2, 2021 · 3 comments
Open

Handling of errSSLPeerAuthCompleted and other non-fatal error codes #205

0xADD1E opened this issue Sep 2, 2021 · 3 comments

Comments

@0xADD1E
Copy link

0xADD1E commented Sep 2, 2021
edited
Loading

When attempting to do peer authentication with a macOS client, an error gets raised corresponding with errSSLPeerAuthCompleted. This shouldn't actually be raised, should it? (For reference, errSSLPeerAuthCompleted is explicitly described as a non-fatal result, and seems to occur as a normal part of peer authentication)
@sfackler
Copy link
Owner

sfackler commented Sep 2, 2021

Yeah, you should not be seeing an errSSLPeerAuthCompleted. Could you put together a small self contained example that hits that error?

@ragoso
Copy link

ragoso commented May 12, 2023
edited
Loading

Hi, I'm getting the same "peer cert is valid, or was ignored if verification disabled" error from using reqwest with the "native-tls" feature on a MacOS M1.

My implementation loads a PKCS12 as an identity to send in the request.

Investigating, I found this line in the reqwest project that indicates the use of tokio_native_tls.

https://github.com/seanmonstar/reqwest/blob/7e7b116a134cc0d6d646ab316dd83976369d5298/src/connect.rs#LL245C37-L245C53

It seems to be something with this comment on Apple's SecureTransport.h.

  * errSSLPeerAuthCompleted: Peer's cert chain is valid, or was ignored if
  * cert verification was disabled via SSLSetEnableCertVerify. The application
  * may decide to continue with the handshake (by calling SSLHandshake
  * again), or close the connection at this point.

Example

let mut buf = Vec::new();
File::open("serpro.pfx")?
.read_to_end(&mut buf)?;

let identity = Identity::from_pkcs12(&buf, "1234").unwrap();
let connector = native_tls::TlsConnector::builder()
    .identity(identity)
    .danger_accept_invalid_certs(true)
    .danger_accept_invalid_hostnames(true)
    .build()
    .unwrap();

let stream = TcpStream::connect("hom1.nfe.fazenda.gov.br:443").unwrap();
let mut stream = connector.connect("hom1.nfe.fazenda.gov.br", stream).unwrap();
//https://hom1.nfe.fazenda.gov.br/NFeDistribuicaoDFe/NFeDistribuicaoDFe.asmx
stream.write_all(b"GET /NFeDistribuicaoDFe/NFeDistribuicaoDFe.asmx HTTP/1.0\r\n\r\n").unwrap();
let mut res = vec![];
stream.read_to_end(&mut res).unwrap();
println!("{}", String::from_utf8_lossy(&res));

Deps:

reqwest = { version = "0.11.17", features = ["native-tls"] }

@sfackler

@ragoso
Copy link

ragoso commented May 18, 2023

Hey guys,

this PR at security-framework solves this problem.
Release 2.9.1

@ragoso ragoso mentioned this issue May 18, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sfackler @ragoso @0xADD1E