diff --git a/rama-tls/src/boring/client/connector_data.rs b/rama-tls/src/boring/client/connector_data.rs index d68a7bc8..86b2aa32 100644 --- a/rama-tls/src/boring/client/connector_data.rs +++ b/rama-tls/src/boring/client/connector_data.rs @@ -113,9 +113,21 @@ impl ConnectConfigurationInput { cfg_builder .set_private_key(auth.private_key.as_ref()) .context("build (boring) ssl connector: set private key")?; - for cert in &auth.cert_chain { + if auth.cert_chain.is_empty() { + return Err(OpaqueError::from_display( + "build (boring) ssl connector: cert chain is empty", + )); + } + cfg_builder + .set_certificate( + auth.cert_chain + .first() + .context("build (boring) ssl connector: get primary client cert")?, + ) + .context("build (boring) ssl connector: add primary client cert")?; + for cert in &auth.cert_chain[1..] { cfg_builder - .add_client_ca(cert) + .add_extra_chain_cert(cert.clone()) .context("build (boring) ssl connector: set client cert")?; } } diff --git a/rama-tls/src/boring/server/service.rs b/rama-tls/src/boring/server/service.rs index fdb5e16d..c1dee262 100644 --- a/rama-tls/src/boring/server/service.rs +++ b/rama-tls/src/boring/server/service.rs @@ -152,7 +152,7 @@ where trace!("tls boring server service: set alpn protos callback"); acceptor_builder.set_alpn_select_callback( move |_: &mut SslRef, client_alpns: &[u8]| { - let mut reader = std::io::Cursor::new(&client_alpns[..]); + let mut reader = std::io::Cursor::new(client_alpns); loop { let n = reader.position() as usize; match ApplicationProtocol::decode_wire_format(&mut reader) {