[PR #7354] enable rocket/mtls feature #32952

Open
opened 2026-06-20 19:39:00 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/7354
Author: @nagisa
Created: 6/20/2026
Status: 🔄 Open

Base: mainHead: rocket-mtls


📝 Commits (1)

  • 649ed31 enable rocket/mtls feature

📊 Changes

2 files changed (+176 additions, -66 deletions)

View changed files

📝 Cargo.lock (+175 -65)
📝 Cargo.toml (+1 -1)

📄 Description

I want mTLS for the communication between my vaultwarden instance and the reverse proxy that's fronting vaultwarden. For various reasons my reverse proxy is hosted on a different machine within the same LAN than vaultwarden and I don't want to put another reverse proxy on the machine with vaultwarden just for this.

Once vaultwarden is built with rocket/mtls enabled, mTLS seems to be working. I used the following steps/commands to verify this works:

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -subj "/CN=Test-Local-CA" \
  -keyout ca.key -out ca.crt
$ openssl req -nodes -newkey rsa:2048 \
  -subj "/CN=localhost" \
  -keyout server.key -out server.csr
$ openssl x509 -req -days 365 -in server.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial \
  -extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1\nextendedKeyUsage=serverAuth") \
  -out server.crt
$ openssl req -nodes -newkey rsa:2048 \
  -subj "/CN=test-client" \
  -keyout client.key -out client.csr
$ openssl x509 -req -days 365 -in client.csr \
  -CA ca.crt -CAkey ca.key \
  -extfile <(printf "extendedKeyUsage=clientAuth") \
  -out client.crt
$ env WEB_VAULT_ENABLED=false \
  ROCKET_TLS='{certs="server.crt", key="server.key", mutual={ca_certs="ca.crt",mandatory=true}}' \
  ./target/debug/vaultwarden
$ curl --cert client.crt --key client.key --cacert ca.crt https://localhost:8000/admin
The admin panel is disabled, please configure the 'ADMIN_TOKEN' variable to enable it
$ curl --cacert ca.crt https://localhost:8000/admin
curl: (56) OpenSSL SSL_read: OpenSSL/3.6.2: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0
$ curl -k http://localhost:8000/admin
curl: (1) Received HTTP/0.9 when not allowed

The downside here is that rocket seems to be pulling a relatively old version of x509-parser crate, and so there are significant new duplicate crates in the lockfile, including return of the syn 1.0 series. However I'm not sure how fixable this is, given the maintenance status of the rocket framework, so I figured I'll post the PR first and see if this is at all palatable.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/7354 **Author:** [@nagisa](https://github.com/nagisa) **Created:** 6/20/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `rocket-mtls` --- ### 📝 Commits (1) - [`649ed31`](https://github.com/dani-garcia/vaultwarden/commit/649ed31aa78cf0bbe116d13db6c0b514a26c1b35) enable rocket/mtls feature ### 📊 Changes **2 files changed** (+176 additions, -66 deletions) <details> <summary>View changed files</summary> 📝 `Cargo.lock` (+175 -65) 📝 `Cargo.toml` (+1 -1) </details> ### 📄 Description I want mTLS for the communication between my vaultwarden instance and the reverse proxy that's fronting vaultwarden. For various reasons my reverse proxy is hosted on a different machine within the same LAN than vaultwarden and I don't want to put another reverse proxy on the machine with vaultwarden just for this. Once vaultwarden is built with rocket/mtls enabled, mTLS seems to be working. I used the following steps/commands to verify this works: ```bash $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -subj "/CN=Test-Local-CA" \ -keyout ca.key -out ca.crt $ openssl req -nodes -newkey rsa:2048 \ -subj "/CN=localhost" \ -keyout server.key -out server.csr $ openssl x509 -req -days 365 -in server.csr \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1\nextendedKeyUsage=serverAuth") \ -out server.crt $ openssl req -nodes -newkey rsa:2048 \ -subj "/CN=test-client" \ -keyout client.key -out client.csr $ openssl x509 -req -days 365 -in client.csr \ -CA ca.crt -CAkey ca.key \ -extfile <(printf "extendedKeyUsage=clientAuth") \ -out client.crt $ env WEB_VAULT_ENABLED=false \ ROCKET_TLS='{certs="server.crt", key="server.key", mutual={ca_certs="ca.crt",mandatory=true}}' \ ./target/debug/vaultwarden $ curl --cert client.crt --key client.key --cacert ca.crt https://localhost:8000/admin The admin panel is disabled, please configure the 'ADMIN_TOKEN' variable to enable it $ curl --cacert ca.crt https://localhost:8000/admin curl: (56) OpenSSL SSL_read: OpenSSL/3.6.2: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0 $ curl -k http://localhost:8000/admin curl: (1) Received HTTP/0.9 when not allowed ``` The downside here is that `rocket` seems to be pulling a relatively old version of `x509-parser` crate, and so there are significant new duplicate crates in the lockfile, including return of the syn 1.0 series. However I'm not sure how fixable this is, given the maintenance status of the rocket framework, so I figured I'll post the PR first and see if this is at all palatable. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-06-20 19:39:00 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#32952