I have a web server built using hyper and tokio-rustls. When using the self-signed certificate, I have confirmed that the https request is successfully processed by a web browser such as Chrome.
However, when I try to make a hyper client for the test and try to make a request, the following error is output.
hyper::Error(Connect, Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificateData("invalid peer certificate: UnknownIssuer") } })', tests/server.rs:80:42
Even when I check with curl request for self signed certificate, I am getting 200 response.
Don't clients using hyper-rustls accept self-signed certificates? Or is there a reason the browser and test client show different results?
Is there a separate option not to check the server's certificate on the client (insecure)?
I used hyper_rustls to make https requests.
let url = ("https://localhost:5582").parse().unwrap();
let https = hyper_rustls::HttpsConnectorBuilder::new()
.with_native_roots()
.https_only()
.enable_http1()
.build();
let client: Client<_, hyper::Body> = Client::builder().build(https);
let response = client.get(url).await.unwrap();
All environments should reject the self-signed certificate until explicitly instructed to accept it. For example, with curl you can use -k or --insecure to tell curl not to validate the certificate. Likewise, your browser displayed a scary "certificate error" page that you bypassed, instructing the browser to accept the certificate.
If an environment doesn't reject such certificates by default, it is susceptible to man-in-the-middle attacks, which would be a security vulnerability.
You can disable certificate verification by adding an invocation of .with_tls_config() when building your hyper_rustls connector. You need to access the dangerous part of the ClientConfig and set the certificate verifier to a one that performs no checks at all.
Alternatively, you can install the certificate as a trusted host certificate in your system's certificate store, which is probably both simpler and safer.