-
Notifications
You must be signed in to change notification settings - Fork 427
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for EC keys #1642
Comments
Which version of rustls is needed? Can you check if the 0.21.0-alpha has that? If so, we’re probably going to release that branch next week. |
Current rustls 0.20 supports it, so I think our alphas should be good. |
rust tls does support EC since 0.20.3: https://github.com/rustls/rustls/blob/5bda754ac18f37eb39132f89fb5522494b6202eb/rustls/src/sign.rs#L288 0.21.0-alpha use rustls 0.20.0, witch does not support EC yet. |
Actually rustls did support such keys, just not the particular encoding used. So you could still make it work by reencoding the key in (I believe) PKCS #8. |
The problem is that I must happen automatically, because the keys does change, if I get a new key from let's encrypt. Which does often happen. |
I'm pretty sure Let's Encrypt generally does not generate keys for you (though I guess some of the client libraries might?), so key generation should be fully under your control. Are you using a Rust client library? |
@Lukas1818, can you see if |
ping @Lukas1818, did this resolve the issue for you? |
hi, sorry I have not much time at the moment, I will checkout this at the next week. |
hi, I was finally able to test this. listen_addrs_ipv4 = ["0.0.0.0"]
tls_cert = { path = "/home/lukas/test/****.de.key", endpoint_name = "****.de" } But I get this error:
I have also try to use the I have use the the
|
I am a bit confused, why I can not use Rustls for PKCS12, because I had though that Rustls does support it now: |
If rustls supports pkcs12, this is probably just a gap in support in trust-dns. We just need to add it to the logic for reading keys. |
This is where we read the key: So if you specify pkcs12, we will bail directly. It looks like based on the code in the linked issue you showed, that maybe there's a simpler way to construct these keys directly from the der formats? (pem might be a different story) |
I test this again with version 0.22.0 and I notify that my certificate is a SEC1 key.
So I think the problem is that trust-dns mistakes it for a Pkcs12 key and abort. |
Based on my experience with crab-hole EC keys works fine with the hickory libs and it is an artificial limitation of the hickory binary. |
A |
Is your feature request related to a problem? Please describe.
The caddy webserver, save let's encrypt certificates as EC keys. Because of the missing support for this keys in trust-dns, I can sadly not use the certificate for dot.
Describe the solution you'd like
The current rustls version dose support this certificates. see rustls/rustls#998
So updating the rustls dependency should be enough to solve this issue.
The text was updated successfully, but these errors were encountered: