rustls InvalidCertificateEncoding

README.md

This is a set of files that can be used to reproduce an issue I'm facing with rustls.

This is the current setup:

• A self signed root CA
• A wildcard certificate issued by this CA. One of the SAN is *.suse (yeah this is bad from a security POV)

I've a simple program that uses reqwest to perform a GET request against a HTTPS server that uses this certificate. The server FQDN is registry01.suse. When reqwest uses openssl it works, but when rustls is being used I get the InvalidCertificateEncoding error.

Creating rustls::Certificate objects from both the certificates works fine. Using rustls::client::WebPkiVerifier to verify the certificate works too.

I really don't know how to figure out where the error is originating.

The certificates are created using these scripts: https://github.com/Martin-Weiss/registry/tree/main/registry

ca.crt

-----BEGIN CERTIFICATE-----
MIIDhzCCAm+gAwIBAgIUc2oNswlxZydj9X6gvZcRyCMdjVAwDQYJKoZIhvcNAQEL
BQAwUzELMAkGA1UEBhMCREUxGzAZBgNVBAgMEkJhZGVuLVd1ZXJ0dGVtYmVyZzEN
MAsGA1UECgwEU1VTRTEYMBYGA1UEAwwPcmVnaXN0cnkwMS5zdXNlMB4XDTIyMTEy
MjE2NTYyNFoXDTMyMDkzMDE2NTYyNFowUzELMAkGA1UEBhMCREUxGzAZBgNVBAgM
EkJhZGVuLVd1ZXJ0dGVtYmVyZzENMAsGA1UECgwEU1VTRTEYMBYGA1UEAwwPcmVn
aXN0cnkwMS5zdXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbrj
uhJ0H0btJ234MBdAHz0+77ySsgYZAKcLz0jZwBk+U7Q/Ylbo1ni+E/0cKUFyO+PD
z2ZROif5TZhAXIEFssho33gszyzLInUX10zh4YYgW8nMjF/x5JFave6RMHOTkQtl
Oa1rVv5Wcmy0IjH90mqvDIphxrZSUNaFe5tH+VOtFvd6+QlbJuWuZGwjdAS5zVDi
4g9ycTAnPff2u7ae8UvEsKiDoISVJh7qQnqdSPf8HnosqTAcbEmzsTiZbbp9A+Kc
oFG1YarVcUhQ1oNcxBntaoR3W9PZsM9DmiVz+NTWSQ4r92jGUXj4Eoo6OyZG6hC2
5rCXds0t9sQ/lxS3vQIDAQABo1MwUTAdBgNVHQ4EFgQUFZoZJ9vQmWR/HKbT6dGq
u+KaFVswHwYDVR0jBBgwFoAUFZoZJ9vQmWR/HKbT6dGqu+KaFVswDwYDVR0TAQH/
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEApNOXeSw3Z/WvzExX21m1uvqx05lP
1rDTtvKk2VAkKjY58WvLM7GnVsxPaemdymD6HycTnuUj1FaK9R3bPj/GtvQM6JW9
zZwj6ZMDMVlcJHeCLXnsmjQasleq7qYj9SsERJKtyUe5xePgiKbgMKCKX6irLKyL
8GXxNKLKYqR3eYdoiTOqr8EDwzAKoCnW2FICbfqWNFAgDrZMPn1RT4alKVJzu/3T
o91nnuKsu+GWTKEbukdjRDQiaJEAcgknb2LJJNpjl4vfFmWLaWdOXeSiAd9sZwjD
xfGK2EloV9TmxNEVq4cWV2VcWTajcxQ9k6OQelBGN6EcW8QuvbzRZc0cOQ==
-----END CERTIFICATE-----

domain.crt

-----BEGIN CERTIFICATE-----
MIIDfzCCAmegAwIBAgIUHqLj3JghVWrHA+HxsF0LE32MREEwDQYJKoZIhvcNAQEL
BQAwUzELMAkGA1UEBhMCREUxGzAZBgNVBAgMEkJhZGVuLVd1ZXJ0dGVtYmVyZzEN
MAsGA1UECgwEU1VTRTEYMBYGA1UEAwwPcmVnaXN0cnkwMS5zdXNlMB4XDTIyMTEy
MjE3MDA1MloXDTMyMTExOTE3MDA1MlowSjELMAkGA1UEBhMCREUxGzAZBgNVBAgM
EkJhZGVuLVd1ZXJ0dGVtYmVyZzENMAsGA1UECgwEU1VTRTEPMA0GA1UEAwwGKi5z
dXNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1kq5i0eyFWHpEUGk
/LRpZaxz4VhiIggIGis1TE33UqdPIbFuaTzMkW44BhRqsO2TNJA95OyvC2QbnPWM
Tap9nJI9OKZ8K6IK/ngIml3loZTGBGZPXHg5Y/7RQOLG4V58LgCYqHE+bCRJmub3
os5720zL/2F7zfJfJrrANSr6ixjM7gBlczOJj28BGGYHJW1X1k6Y6ohfCLke51pD
NdZblS2sD6UKjF2neMoP/+ITmdjVKq1F1vkGRNUiMfqvuQil/Wtf7AkesbRgp/M0
CWcchLudF8ZiXOtCzdg3+g4KD7xbD9Nt1qDWZnsMUOHs6ZcFxS3dUjRpMfWZ6QmH
VBBa4wIDAQABo1QwUjATBgNVHSUEDDAKBggrBgEFBQcDATA7BgNVHREENDAyggYq
LnN1c2WCCiouY2FwLnN1c2WCDioudWFhLmNhcC5zdXNlggxhcGkuY2FwLnN1c2Uw
DQYJKoZIhvcNAQELBQADggEBAIEI+zFH9a0D5Vt/EdOyQ5xu7ek/4n50udjJdoH5
R38XIK6HAjXokx9D9qOZlIJziW5yOLIbxNx0+qXLLMGMY13FVR675EXO98rWeirv
UFoH1TDbG7mNSQ+9JDkJKA/WUmJgWilnA2ad9EPo2gfsYfcEjiRRbVDBbWWJDH3c
QY93fzSXjel2T4vKz6OGjuSmhNjVnKj6iFKr/R9ym+XJdRrPfsI6U+CmMfXIW/Nf
e7ieuaNk0sDr7QphLwZfCMUXFl+l4MI07ahtIhtZXYIMUx5vfSwVTB+1GGdaLF3E
Phg8G1HteN+a4AFakEDDPnVy78zQndhr1/5nQhPkHZ5IIHk=
-----END CERTIFICATE-----

domain.key

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA1kq5i0eyFWHpEUGk/LRpZaxz4VhiIggIGis1TE33UqdPIbFu
aTzMkW44BhRqsO2TNJA95OyvC2QbnPWMTap9nJI9OKZ8K6IK/ngIml3loZTGBGZP
XHg5Y/7RQOLG4V58LgCYqHE+bCRJmub3os5720zL/2F7zfJfJrrANSr6ixjM7gBl
czOJj28BGGYHJW1X1k6Y6ohfCLke51pDNdZblS2sD6UKjF2neMoP/+ITmdjVKq1F
1vkGRNUiMfqvuQil/Wtf7AkesbRgp/M0CWcchLudF8ZiXOtCzdg3+g4KD7xbD9Nt
1qDWZnsMUOHs6ZcFxS3dUjRpMfWZ6QmHVBBa4wIDAQABAoIBAGoWkmb2tp5JW7Y0
VnbY5jj0uGW+eM66RTCXZYqCKsgbllxq1+t3sxrogwnXf75Zz3+9TTcRSdOM2vLI
yY4FsqwZ5f8uxNhhH6o9SJ0LkUx+N84jzHRN/LOZioTiAG3Adh/cIbd6YNnu2RW7
9KsAKGc4TOIAo+cgb6Tf3Zo0zdagJ4d5knzYCvaHF7bPYKhyrIS7Equ7P3UNfh9p
0VO1DkG6gmdmtjya151EreryoP4Fmtu+N4Lcss5wy7+I/86uF7tu8CE12ifI/7g1
RRsOlVwut7gYL1Xbz9wctA8EgVZUdQ4DAvhiRG1eQ11f4lXQRs/+jyP65AwKCb89
YMXVNdkCgYEA8XtUWCU5Zvp6dPjM4sC+yxTFQ/aw06+Snnz3x5qTcstwaUMekJyb
K0eCi0bFsqqg6XdQy1BAYG2HOWGg10hBpJU/BKnSvgYTD4nmKsZ1jUF8nj3ZSj7y
d2F/hAS+BUq9+1u44UhBtoyUAzygVAdLMK0/8uNrB7xyOofBMfx0cZcCgYEA4yzp
0T2TsHPQz3W2QvAbuE6gLc1wzbYC7k3epXHJfHTNZT+it+2OxUFtrqerRaMIejhN
zPqgthoPKBVYdD6UiTnaIKH6EcE3ewlq/bkshztzKrLy7fuPqrPuNuZK/V6mh0L8
+fesXyhhsSELXp/jB2BFub7ZWbQVF4VlNjCTcpUCgYEAq+d97ZniOTrKfga35BwO
Noe8vlsZGjj8iTKxOTkDCk9k4KpVUeEKXU700a06A6yQDGNR8spYaczO3LxxQZBA
mqdcSzeRvJCadQ9X+M9602nxCr1AuCgDd5TCr/qoQyAoCo4LGOTVUtzUaVF5WRgw
IKDUy1W11bYDI0OM9safJlUCgYB+TdlN2VOElk+xGHwWKVLwHN7XuFIQPTLR9X9l
MqdYR8Rul3vLkQuAxkjKAzSpSeSLt0QiQ/IYbNKicYO1VZnV1dFdtVDIkEldYbYX
jN2h7j6wrb986xFMUi+OXGmzBu3FZEwsWjR+z3/JMFsW6AQcdL0vcVl8ky/q3OKR
x14jJQKBgC5yVIBwjKJLhnMmrZzyUMQOabmdPj0eTkyCHAUsCtg9SVMTJbYQtbPV
6ZYoEn+c7XwQ5T2QUbNskT1yxR6ta3mY2aE0qHdKhDBucqYa4WakopIsUn6W6Wc+
EJWRpZ1LZCs+CTE7GZgs7orbL4LkFImytMjofR4OqnCNDabsOPlR
-----END RSA PRIVATE KEY-----

https-server.py

#!/usr/bin/python
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl


class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):

    def do_GET(self):
        self.send_response(200)
        self.end_headers()
        self.wfile.write(b'Hello, world!\n')


httpd = HTTPServer(('0.0.0.0', 8443), SimpleHTTPRequestHandler)

httpd.socket = ssl.wrap_socket (httpd.socket,
        keyfile="./domain.key",
        certfile='./domain.crt',
        server_side=True)

httpd.serve_forever()