Comments (3)
djc
commented on May 24, 2024
Sorry, I don't have time to go read through the Teleport documentation in detail. What do you want/need to send in the ALPN protocols to enable the Teleport use case? I'd be happy to enable this use case but would still like the configuration process to be as misuse-resistant as possible.
from hyper-rustls.
mkroman
commented on May 24, 2024
I don't think I'll continue working on this project, so I'm just gonna close this issue and open a new one it if it becomes relevant again.
I do however think that my initial goal may have been misguided, as I wanted hyper-rustls to handle the ALPN, when it may be more appropriate to do that with just rustls and then wrap the stream with hyper-rustls when necessary.
from hyper-rustls.
rcanderson23
commented on May 24, 2024
Sorry to bump an old, closed thread but I started working on exactly this a while back and recently have time to pick it back up and ran into the same issue. Not sure if this a hyper-rustls problem to support but figured it was worth asking. Essentially the proxy server is expecting a specific ALPN to route to the auth server behind it. This was the code I wrote to get it working:
async fn connect() -> Result<(), Box<dyn std::error::Error>> {
let ca = load_ca()?;
let user_cert = load_user_cert()?;
let user_key = load_private_key()?;
let mut roots = RootCertStore::empty();
roots.add_parsable_certificates(&ca);
let mut tls = ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(roots)
.with_client_auth_cert(vec![user_cert], user_key)?;
let encoded_cluster = hex::encode("teleport.carsonanderson.net");
// Order here matters
tls.alpn_protocols
.push(format!("teleport-auth@{}.teleport.cluster.local", encoded_cluster).into());
tls.alpn_protocols.push("h2".into());
let stream = tokio::net::TcpStream::connect("teleport.carsonanderson.net:443").await?;
let connector = TlsConnector::from(Arc::new(tls));
// being presented the auth server cert which is teleport.cluster.local
let domain = tokio_rustls::rustls::ServerName::try_from("teleport.cluster.local")?;
let stream = connector.connect(domain, stream).await?;
let (sender, conn) = hyper::client::conn::Builder::new()
.http2_only(true)
.handshake(stream)
.await?;
tokio::spawn(async {
if let Err(err) = conn.await {
eprintln!("error servicing connection: {err}");
}
});
let svc = ServiceBuilder::new().buffer(256).service(sender);
let mut client = teleport::auth::auth_service_client::AuthServiceClient::with_origin(
svc,
Uri::from_static("https://teleport.carsonanderson.net"),
);
let users = client
.get_users(tonic::Request::new(teleport::auth::GetUsersRequest {
with_secrets: false,
}))
.await?;
let mut users = users.into_inner();
while let Some(user) = users.message().await? {
println!("{}", user.metadata.unwrap().name);
}
Ok(())
}The teleport specific ALPN and h2 are both required and ordering there matters. Removal of the h2 header results in an error Error: Custom { kind: InvalidData, error: AlertReceived(NoApplicationProtocol) }.
from hyper-rustls.
Related Issues (20)
- More elaborate custom server name HOT 1
- Cannot access peer certificates with example's TlsStream HOT 7
- `HttpsConnectorBuilder::enable_all_versions` doesn't enable ALPN for http/1.1 HOT 1
- Release TLSAcceptor HOT 2
- example of client with mutual tls HOT 3
- When used with a specified request the body is not decrypted HOT 2
- Getting ip address of connection HOT 1
- Creating an HTTPS connection using `HttpsConnectorBuilder` does not allow you to obtain the website's URL. HOT 1
- Hyper v1 compatibility HOT 12
- Release with rustls 0.22 support? HOT 5
- Release 0.25.0 without hyper 1 support? HOT 1
- Prepare v0.25 release, update to Rustls v0.22 HOT 5
- Prepare v0.26 release, update to Hyper 1.0 HOT 8
- v0.26 server example error: failed to serve connection: error shutting down connection HOT 2
- Add support for providing HttpConnector HOT 3
- Rust minimum version should be updated HOT 4
- 0.23.2 of rusttls HOT 3
- Expose feature flag to enable FIPS compliant build of AWS-LC. HOT 1
- Latest version (0.27.1) fails to build for `docs.rs` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hyper-rustls.