Hi all! I’ve started playing with Mint/Finch for HTTP requests and I love it so far but it seems mutual TLS is not yet supported. I don’t see any option to provide a “certfile”/“keyfile” pair like Hackney. Am I right about that?
1 Like
The Mint.HTTP.connect/4 function allows any :gen_tcp and :ssl socket options to be passed through the :transport_opts option. The documentation does not describe all of the available options, only those for which Mint changes the semantics in some way.
So using the raw Mint API (and https://badssl.com as the server) you can just call:
iex(1)> {:ok, conn} = Mint.HTTP.connect(:https, "client.badssl.com", 443, transport_opts: [certfile: 'badssl.com-client.pem', password: 'badssl.com'])
{:ok, %Mint.HTTP1{...}}
iex(2)> {:ok, conn, request_ref} = Mint.HTTP.request(conn, "GET", "/", [], nil)
{:ok, %Mint.HTTP1{...}}
iex(3)> flush
{:ssl,
{:sslsocket, {:gen_tcp, #Port<0.10>, :tls_connection, :undefined},
[#PID<0.351.0>, #PID<0.350.0>]},
"HTTP/1.1 200 OK\r\nServer: nginx/1.10.3 (Ubuntu)\r\nDate: Mon, 14 Sep 2020 06:51:55 GMT\r\nContent-Type: text/html\r\nContent-Length: 687\r\nLast-Modified: Tue, 24 Mar 2020 00:15:54 GMT\r\nConnection: keep-alive\r\nETag: \"5e79513a-2af\"\r\nCache-Control: no-store\r\nAccept-Ranges: bytes\r\n\r\n<!DOCTYPE html>\n<html>\n<head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n <link rel=\"shortcut icon\" href=\"/icons/favicon-green.ico\"/>\n <link rel=\"apple-touch-icon\" href=\"/icons/icon-green.png\"/>\n <title>client.badssl.com</title>\n <link rel=\"stylesheet\" href=\"/style.css\">\n <style>body { background: green; }</style>\n</head>\n<body>\n<div id=\"content\">\n <h1 style=\"font-size: 12vw;\">\n client.<br>badssl.com\n </h1>\n</div>\n\n<div id=\"footer\">\n This site requires a <a href=\"https://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated_TLS_handshake\">client-authenticated</a> TLS handshake.\n</div>\n\n</body>\n</html>\n"}
:ok
(In this example the keyfile option is not necessary, as the key is stored in the same file as the client certificate, but you could of course add the keyfile option if needed)
8 Likes
Ah, very helpful! I played around it worked great! I noticed that in Finch you would place transport_opts within the conn_opts options. Thanks!
You should be able to pass whatever options through the Finch functions into Mint. But if we’re missing something, feel free to open an issue or PR.
1 Like
Hey! I just wanted to pop in to thank you this! Not only for a solution but the badssl.com reference. I can’t say for sure how much time this saved future me in an alternate timeline but I’ve never had to implement mTLS and it turned out to be pretty painless in Req as well.
Over 5 years later and you’re still saving people time.
1 Like
