Skip to content

rust-server

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

rust-server

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
src
src
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 

README.md

Rust mTLS Server Example

A high-performance HTTPS server with mutual TLS authentication using Rust, Axum, and Rustls.

Features

  • ✅ Mutual TLS authentication with Rustls
  • ✅ Client certificate verification
  • ✅ RESTful API with Axum framework
  • ✅ Async/await with Tokio runtime
  • ✅ Zero-copy TLS implementation
  • ✅ Production-ready performance

Prerequisites

  • Rust 1.70+ (install from https://rustup.rs/)
  • Certificates generated by the mtls CLI tool

Setup

# Build the project
cargo build --release

# Or just run (will build automatically)
cargo run --release

Running the Server

# Development mode
cargo run

# Release mode (optimized)
cargo run --release

# Or run the binary directly
./target/release/mtls-rust-server

The server will start on https://localhost:8443.

Endpoints

  • GET / - Main endpoint with client certificate info
  • GET /health - Health check endpoint
  • GET /api/data - Sample data endpoint
  • POST /api/echo - Echo back the request body

Dependencies

  • tokio: Async runtime
  • axum: Web framework
  • axum-server: TLS server with Rustls support
  • rustls: Modern TLS library
  • serde: Serialization framework
  • chrono: Date/time handling

Architecture

The server uses:

  • Axum for routing and handlers
  • Rustls for TLS (no OpenSSL dependency)
  • Tokio for async I/O
  • WebPkiClientVerifier for client certificate validation

Certificate Loading

// Load server certificate and key
let certs = load_certs(&server_cert)?;
let key = load_private_key(&server_key)?;

// Configure client verification
let client_verifier = WebPkiClientVerifier::builder(root_store)
    .build()?;

// Create TLS config
let server_config = ServerConfig::builder()
    .with_client_cert_verifier(client_verifier)
    .with_single_cert(certs, key)?;

Testing

Test with curl:

curl --cert ../../certs/servers/localhost/server-cert.pem \
     --key ../../certs/servers/localhost/server-key.pem \
     --cacert ../../certs/ca/ca-cert.pem \
     https://localhost:8443/

Or use the Rust client:

cd ../rust-client
cargo run --release

Performance

Rustls is a modern TLS implementation with:

  • Memory safety (no buffer overflows)
  • Zero-copy I/O where possible
  • Async/await support
  • Smaller attack surface than OpenSSL

Typical benchmarks show comparable or better performance than OpenSSL.

Production Deployment

For production:

  1. Use --release flag for optimizations
  2. Configure proper logging (add tracing crate)
  3. Add error handling middleware
  4. Set up graceful shutdown
  5. Use environment variables for configuration
  6. Consider adding rate limiting

Troubleshooting

Certificate parsing error:

  • Ensure certificates are in PEM format
  • Check certificate paths are correct
  • Verify certificates are not expired

Client verification failed:

  • Ensure client certificate is signed by the CA
  • Check CA certificate is loaded correctly
  • Verify certificate chain is valid

Port already in use:

  • Change port in main.rs: SocketAddr::from(([127, 0, 0, 1], 8444))
  • Or stop other services using port 8443