Illegal SNI hostname when using self-signed certificate

[sify21]

I have a server developed with actix-web using self-signed certificate. When using reqwest to query the api, server responds with:

[2020-09-09T10:02:49Z WARN  rustls::msgs::handshake] Illegal SNI hostname received [49, 50, 55, 46, 48, 46, 48, 46, 49]
[2020-09-09T10:02:49Z WARN  rustls::session] Sending fatal alert DecodeError

I have no trouble using curl -k .... or postman, I don't know how to configure reqwest to make it behave like curl -k.

What I have tried

• call danger_accept_invalid_certs(true) on ClientBuilder
• enable native-tls feature and call danger_accept_invalid_hostnames(true) on ClientBuilder
• use add_root_certificate(cert) to add the server's certificate
• enable rustls-tls feature and use rustls and disable sni like this

              let mut client_config = rustls::ClientConfig::default();
              client_config.enable_sni = false;
              let client = Client::builder()
                  .use_rustls_tls()
                  .use_preconfigured_tls(client_config)
                  .danger_accept_invalid_certs(true)
                  .build()
                  .unwrap();
  

  this time server didn't report any error, client reports:

  reqwest::Error {
        kind: Request,
        url: "https://127.0.0.1:8442/test",
        source: hyper::Error(
            Connect,
            Custom {
                kind: Other,
                error: "invalid dnsname",
            },
        ),
    }
  

[sify21]

Oh, I found this rustls/hyper-rustls#56 is related
so even if I can skip sni with rustls client config, I can't make requests to plain ip address

[sify21]

I changed to native-tls with no luck:

let cert = reqwest::Certificate::from_pem(include_bytes!("cert.pem")).unwrap();
let tls_cert = native_tls::Certificate::from_pem(include_bytes!("cert.pem")).unwrap();
let tls = native_tls::TlsConnector::builder()
    .use_sni(false)
    .add_root_certificate(tls_cert)                                                                                                                      
    .build()
    .unwrap();
let client = Client::builder()
      .use_preconfigured_tls(tls)
      .add_root_certificate(cert)
     .build()
     .unwrap();

It fails with

reqwest::Error {
        kind: Request,
        url: "https://127.0.0.1:8442/test",
        source: hyper::Error(
            Connect,
            Error {
                code: -67843,
                message: "The certificate was not trusted.",
            },
        ),
    }

Is it the problem with the certificate I generated? I used this two commands:

openssl genpkey -algorithm RSA -out key.pem -outform PEM  -pkeyopt rsa_keygen_bits:4096
openssl req -x509 -new -nodes -key key.pem -keyform PEM  -days 120 -out cert.pem -outform PEM

I also tried method on this blog to generate the cert

[sify21]

Ok, I found a working version

let tls = native_tls::TlsConnector::builder()
    .use_sni(false)  
    .danger_accept_invalid_certs(true)                                                                                                           
    .build()
    .unwrap();
let client = Client::builder()
      .use_preconfigured_tls(tls)
     .build()
     .unwrap();

[shirshak55]

@snify This is not a solution because you are using .danger_accept_invalid_certs(true) . This goal is not to bypass security but accept the certificate which we have generated.

[sify21]

@shirshak55 I agree with you, It would be great to accept the self-signed certificate, I didn't find a way though.