reqwest icon indicating copy to clipboard operation
reqwest copied to clipboard

Published 20 hours ago verified publisher icon seanmonstar

PUT a file with rustls seems broken

Open snaggen opened this issue 2 years ago • 5 comments

I have a https server using actix-web and rustls on the receiving side where I can upload files using a PUT request. That is tested using multiple clients like curl and others. It seems to work just fine. The URL is a regular https://host:port/ url, so there is nothing special there. I have double checked that it is using "https://" (and this is further validated by the fact that it works with native-tls).

I then have a client application using reqwest to upload a file to the said server, and I initially just used the default features and everything worked fine. I then disabled the default features and enabled rustls. reqwest = { version = "0.11.13", features = ["rustls-tls", "stream"], default-features=false }

And suddenly things fail, getting TLS errors on the receiving side like
2023-03-16T12:57:59.710+01:00 ERROR actix-rt|system:0|arbiter:0/140378614589184 [rustls::conn+1327] TLS alert received: AlertMessagePayload {               ┤
    level: Fatal,                                                                                                                                           ┤
    description: BadCertificate,                                                                                                                            ┤
}

The client side error is send failed because receiver is gone, so the server just kills the connection due to the error above.

If I just revert Cargo.toml back to reqwest = { version = "0.11.13", features = ["stream"] } things work again.

The code in question is

                let client = reqwest::Client::new();
                let body = Body::wrap_stream(rx);
                let mut request = client.put(dest_url).body(body);
                if let Some(user) = username {
                    request = request.basic_auth(user, password);
                }
                let res = request.send().await?;

My issue is resolved by reverting back to native tls (even though I would prefer rustls), but I thought this might be something you would like to look at.

snaggen avatar Mar 17 '23 08:03 snaggen

Looks like it's a certificate issue. You could look at the other feature, rustls-tls-native-roots, which will look for the certificates on your machine like native-tls does.

seanmonstar avatar Mar 17 '23 10:03 seanmonstar

But I'm not using any client certificate.

snaggen avatar Mar 17 '23 20:03 snaggen

Sorry, I meant it will load certificate chains. It uses those to determine what Certificate Authorities to trust, which signed the certificate your server uses.

seanmonstar avatar Mar 17 '23 20:03 seanmonstar

Are you configuring the server to use a self-signed certificate? That might explain what's going on.

djc avatar Mar 06 '24 14:03 djc

I realize I had forgotten about this issue. Thanks for the feedback, I will have another go and investigate the certificate chains.

snaggen avatar Mar 07 '24 23:03 snaggen

Not able to reproduce exactly, but it looks like it was the native roots that got me. Closing

snaggen avatar Mar 25 '24 14:03 snaggen