Does Mint/Finch support Mutual TLS

ntilwalli · September 14, 2020, 6:37am

Hi all! I’ve started playing with Mint/Finch for HTTP requests and I love it so far but it seems mutual TLS is not yet supported. I don’t see any option to provide a “certfile”/“keyfile” pair like Hackney. Am I right about that?

voltone · September 14, 2020, 6:53am

The Mint.HTTP.connect/4 function allows any :gen_tcp and :ssl socket options to be passed through the :transport_opts option. The documentation does not describe all of the available options, only those for which Mint changes the semantics in some way.

So using the raw Mint API (and https://badssl.com as the server) you can just call:

iex(1)> {:ok, conn} = Mint.HTTP.connect(:https, "client.badssl.com", 443, transport_opts: [certfile: 'badssl.com-client.pem', password: 'badssl.com'])
{:ok, %Mint.HTTP1{...}}
iex(2)> {:ok, conn, request_ref} = Mint.HTTP.request(conn, "GET", "/", [], nil)
{:ok, %Mint.HTTP1{...}}
iex(3)> flush
{:ssl,
 {:sslsocket, {:gen_tcp, #Port<0.10>, :tls_connection, :undefined},
  [#PID<0.351.0>, #PID<0.350.0>]},
 "HTTP/1.1 200 OK\r\nServer: nginx/1.10.3 (Ubuntu)\r\nDate: Mon, 14 Sep 2020 06:51:55 GMT\r\nContent-Type: text/html\r\nContent-Length: 687\r\nLast-Modified: Tue, 24 Mar 2020 00:15:54 GMT\r\nConnection: keep-alive\r\nETag: \"5e79513a-2af\"\r\nCache-Control: no-store\r\nAccept-Ranges: bytes\r\n\r\n<!DOCTYPE html>\n<html>\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <link rel=\"shortcut icon\" href=\"/icons/favicon-green.ico\"/>\n  <link rel=\"apple-touch-icon\" href=\"/icons/icon-green.png\"/>\n  <title>client.badssl.com</title>\n  <link rel=\"stylesheet\" href=\"/style.css\">\n  <style>body { background: green; }</style>\n</head>\n<body>\n<div id=\"content\">\n  <h1 style=\"font-size: 12vw;\">\n    client.<br>badssl.com\n  </h1>\n</div>\n\n<div id=\"footer\">\n  This site requires a <a href=\"https://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated_TLS_handshake\">client-authenticated</a> TLS handshake.\n</div>\n\n</body>\n</html>\n"}
:ok

(In this example the keyfile option is not necessary, as the key is stored in the same file as the client certificate, but you could of course add the keyfile option if needed)

ntilwalli · September 14, 2020, 4:31pm

Ah, very helpful! I played around it worked great! I noticed that in Finch you would place transport_opts within the conn_opts options. Thanks!

keathley · September 14, 2020, 5:48pm

You should be able to pass whatever options through the Finch functions into Mint. But if we’re missing something, feel free to open an issue or PR.