Expand description
mTLS peer-cert extraction; injects chain as a per-request extension.
FOOTGUN: axum-server 0.7 does not expose peer certificates publicly.
The MtlsAcceptor wrapper reads them post-handshake from the rustls
TlsStream and injects via per-connection tower::Service. Don’t remove
without a replacement - the chain is otherwise unreachable.
Structs§
- Mtls
Acceptor - Peer
Cert Service - Peer
Certificates - Empty when no client cert was presented.
Functions§
- cn_
matches_ path_ machine_ id - 403 if leaf CN doesn’t match
{id}; no-op when extension is absent or empty.