Passing client TLS info to handler no longer possible?

[gry8t]

I need my app to have access to the tls cert used by the client. The only "possible" way was generated by AI but is no longer valid on newer versions of axum_server as tls backend has switched to rustls or openssl:

// Handler to extract client TLS info
async fn client_tls_info(req: Request<axum::body::Body>) -> String {
    // Extract TLS information from request extensions
    if let Some(tls_connection) = req.extensions().get::<axum_server::tls::TlsConnection>() {
        // Extract client certificate information
        let client_certificates = tls_connection.peer_certificates();
        if let Some(certificates) = client_certificates {
            // Extract some details about the client certificate
            let cert_info: Vec<String> = certificates
                .iter()
                .map(|cert| format!("Subject: {}", cert.subject()))
                .collect();
            return format!("Client certificates: {:?}", cert_info);
        }
    }

    "No client certificates found".to_string()
}

axum_server::tls no longer exists. Is this feature no longer possible?

[lcrownover]

I'd like to also ask about this issue. I'm not sure if it ever worked, but regardless, I cannot seem to find a way to extract the client certs from the request.

I'm working on setting up mutualTLS and I'm using the following client verifier:

        let mut roots = rustls::RootCertStore::empty();
        let _ = roots.add(ca_cert);
        let client_verifier = match WebPkiClientVerifier::builder(Arc::new(roots.clone()))
            .allow_unauthenticated()
            .build()

I'm using allow_unauthenticated() because, If I understand correctly, the client verifier is configured for the entire server, which means I cannot have some endpoints where client certs are not required (such as a registration endpoint). I'd have to set up two different servers?

The solution would be to allow unauthenticated, which means that in my handler, I know that the request either had a valid client cert provided, or NO cert provided. I can write a layer that will reject if the provided certs is None, otherwise allow, and secure all but my registration endpoint with this layer.

If anyone was available to help with this question, I would really appreciate it! ❤️

[gry8t]

Since the issue is still open I guess there is no way to do it with this library. I don't recall what I did so long ago but if I remember correctly I had to take a step back and use Hyper and/or Rustls (or other tls libs) directly (so I didn't use this library).

Good luck!