← Week 3: mTLS and TLS Extensions

Day 21: Challenge Day — mTLS Echo Server in Rust

Phase 1 · June 3, 2026 · Week 3 Review

← Week 3: mTLS and TLS Extensions

Agenda (2–3 hours)

  • Review (20 min): Week 3 key concepts from memory
  • Build (120–150 min): Fully functional mTLS server + client

No new reading. This day synthesizes Weeks 1–3 into a working Rust artifact.

← Week 3: mTLS and TLS Extensions

Week 3 Concepts Check

Answer from memory:

  1. What message does the server send to request a client certificate in TLS 1.3?
  2. What is inside TLSInnerPlaintext that TLSCiphertext hides?
  3. What is the close_notify alert and why does it prevent truncation attacks?
  4. What privacy problem does SNI have, and what is the IETF's planned fix?
  5. What does OCSP stapling solve compared to traditional OCSP?
  6. Name three cipher suites removed in TLS 1.3 and the attack that targeted each.
← Week 3: mTLS and TLS Extensions

Challenge Assignment: mTLS Echo Server

Build two Rust binaries: mtls-server and mtls-client.

Server behavior:

  • Listen on 127.0.0.1:4433
  • Require a client certificate (mTLS)
  • Validate client cert against a local CA
  • Echo any received message back to the client
  • Print the client's certificate subject on connection

Client behavior:

  • Connect to 127.0.0.1:4433
  • Present its own certificate
  • Send a configurable message, print the echoed response
← Week 3: mTLS and TLS Extensions

Certificate Setup (from Day 15 script)

# Re-use or re-generate certs from Day 15
./setup_mtls.sh

# Certs needed:
# ca.crt        — trust anchor for both sides
# server.crt/key — server identity
# client.crt/key — client identity
← Week 3: mTLS and TLS Extensions

Crates and Starter Structure

[dependencies]
tokio = { version = "1", features = ["full"] }
rustls = "0.23"
tokio-rustls = "0.26"
rustls-pemfile = "2"
x509-parser = "0.16"

// server: TlsAcceptor with client_auth_required
// client: TlsConnector with client cert loaded
// Use tokio::io::{AsyncReadExt, AsyncWriteExt} for the echo loop
← Week 3: mTLS and TLS Extensions

Stretch Goals

  • Handle multiple concurrent connections with tokio::spawn
  • Print the full client certificate chain (not just subject)
  • Reject connections where client cert ExtendedKeyUsage lacks clientAuth
  • Add graceful shutdown on SIGINT
← Week 3: mTLS and TLS Extensions

Resources

  • rustls ServerConfig::builder_with_provider docs
  • rustls ClientConfig with with_client_auth_cert
  • tokio-rustls TlsAcceptor / TlsConnector
  • x509-parser for extracting client cert subject after handshake