Reputation: 41
CAP_NET_ADMIN causes SSL to break in rust binary
I am working on a rust networking application. And I download a package from gcloud storage (using an https://... URL). I will eventually need the capabilities CAP_NET_ADMIN and CAP_NET_RAW.
This is my rust program:
pub fn download_runner_binary(bin_dir: PathBuf) -> Result<()> {
let uri = "https://example.com/foo.tar";
let response = reqwest::blocking::get(uri)?;
let tar_path = bin_dir.join("foo.tar");
let tar_path2 = tar_path.clone();
let mut dest = File::create(tar_path)?;
io::copy(&mut Cursor::new(&mut response.bytes()?), &mut dest)?;
// now seek the beginning
let dest_f = File::open(tar_path2)?;
// now extract the files here
let mut archive = Archive::new(dest_f);
archive.unpack(bin_dir)?;
Ok(())
}
It compiles fine, and I can run it just fine. Subsequently I do:
sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' ./target/debug/foo
and when I getcap:
getcap ./target/debug/foo
./target/debug/foo = cap_net_admin,cap_net_raw+eip
At this stage, when I run my program:
(base) ➜ wallet git:(s/permissions) ✗ ./target/debug/foo init
Initializing job runner
Error: NetworkError: `error sending request for url (https://example.com/): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)`
Caused by:
0: error sending request for url (https://example.com/foo.tar): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
1: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
2: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
3: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914:
And I can't pull things down from any SSL url. Once I remove these capabilities with setcap -r ./target/debug/foo, it is all good.
I then wrote a small python script:
#!/usr/bin/env python
import sys
import requests
resp = requests.get('https://example.com/foo.tar')
print(resp.text)
Setting the same capabilities on this script and running ./test.py completes with no issues.
Is reqwest doing something weird? Is there some issue with certificates? Is it some issue with my local SSL setup?
Any help would be appreciated.
Upvotes: 4
Views: 358
Answers (0)
Related Questions
- Error: UrlError { Unknown URL parameter `ssl-mode' } Rust MySQL
- Docker errors in Rust (Rust SSL)
- Error: could not find native static library `ssl`, perhaps an -L flag is missing? on WIndows
- Redirect stdio over TLS in Rust
- Implementing HTTPS Server using Rustls with Hyper in Rust
- How do I make a TLS connection using the rustls library?
- Unknown issuer on tls handshake in Rust with async-tls
- Could not find openssl in backend
- Hello World Rust program compiles, but execution results in No authorization error
- Invalid SSL certificate when building a crate with cargo