using ssl client certificates

[stephanbuys]

Hi, is it possible to use certificate based client authentication with reqwest?

[seanmonstar]

It should be!

What makes sense for an API? Should a Client only have 1 certificate, and if you need to connect to different hosts with different certs, should you make new clients? Or should you be able to configure a certificate per host, or even per request?

[stephanbuys]

@seanmonstar I think 'per Client' makes more intuitive sense for me, the other options are nifty, but unless there's a real penalty (mem, etc wise )I would recommend per-Client.

[seanmonstar]

Sure, there is some wasted memory, but it's minuscule really. Instead, I'm thinking of whether it is too annoying if one needs a new client all the time.

I know, for instance, that you need a different client certificate for each request you make to Apple Push Notifications, so someone using that may wish to be able to assign a certificate for a specific request.

cc @jwilm

[stephanbuys]

Ok sure, never used Apple Push, an elegant API for client certs in the actual request would actually be awesome, its usually an ugly mess. With SSL everywhere these days, and SSL authentication catching on with a lot of really popular services (Apple Push, Docker, Vault, etc, etc), perhaps it makes sense to cater for both, or just as a part of each request. At least for reqwest it would be awesome if the api is as elegant as possible.

[seanmonstar]

I could see adding Client::cert and RequestBuilder::cert. And I assume that if a certificate was specified on the request, it trumps what was set on the client.

[rohitjoshi]

Any update?

[ChrisMacNaughton]

Has any progress been made on this since discussion stalled in January?

[nicklan]

Also curious about any update on this. I'm interested on migrating to reqwest instead of doing all the work to update to hyper 0.11, but lack of this feature blocks me.

If there's a settled upon API (client_cert on Client and Request with Request taking precedence maybe) I maybe could find time to try and add this.

[seanmonstar]

Any progress would be listed in the issue (so, none).

Maybe starting conservatively, it should be on the ClientBuilder first?

[nicklan]

Hrmm, seems native-tls is going to change client cert handling soon: sfackler/rust-native-tls#27

Unclear if it's worth doing anything until that updates. Having only pkcs#12 is pretty annoying, so it would be nice to support a better interface.