HIGH man in the middleaxummutual tls

Man In The Middle in Axum with Mutual Tls

Scan for man in the middle in axum

Man In The Middle in Axum with Mutual Tls — how this specific combination creates or exposes the vulnerability

A Man In The Middle (MitM) attack against an Axum service using Mutual TLS (mTLS) can occur when certificate validation is incomplete or when the application does not enforce server-side verification of client certificates. Even when both parties present certificates, an attacker positioned on the network can attempt to intercept traffic if the server does not properly validate the client cert chain, hostname, or revocation status. Axum’s HTTPS layer relies on the underlying hyper::client::connect::HttpsConnector (or tower::https::HttpsConnector) and the rustls configuration provided by the application. If the server’s TLS acceptor is configured with a permissive client authentication mode (e.g., RequestClientCert) instead of RequireClientCert, or if it skips hostname verification, an attacker can present a valid but stolen CA-signed certificate and relay requests while viewing or altering traffic.

In practice, a misconfigured mTLS setup in Axum may expose endpoints to classic TLS downgrade or certificate substitution if the server does not enforce strong cipher suites or disable insecure protocol versions. Since Axum does not perform additional application-layer identity checks beyond the TLS layer, the server must ensure that the client certificate contains the expected Extended Key Usage or a specific subject field. Without these checks, an attacker who obtains a client certificate (for example, via insecure storage or a compromised CA) can position themselves between the client and the Axum server, forwarding requests and responses while remaining undetected if logging and certificate transparency checks are not implemented.

Another subtle vector involves the use of HTTP/2 or HTTP/1.1 with keep-alive connections where the server reuses a verified TLS session without re-verifying client identity on subsequent requests. If the mTLS configuration does not bind certificate metadata to the application session, an attacker might hijack an existing authorized connection. This is especially relevant when Axum services are deployed behind load balancers or reverse proxies that terminate TLS and forward unencrypted traffic internally; if the internal segment does not enforce mTLS, the effective security boundary is reduced.

To detect such risks using tools like middleBrick, you can scan your unauthenticated attack surface to observe whether the server requests but does not strictly require client certificates, and whether the TLS configuration exposes weak parameters. middleBrick runs 12 security checks in parallel, including Authentication and SSL/TLS Configuration, to surface findings such as missing client cert enforcement and certificate validation gaps, along with prioritized remediation guidance mapped to frameworks like OWASP API Top 10 and PCI-DSS.

Mutual Tls-Specific Remediation in Axum — concrete code fixes

Remediation centers on enforcing strict client certificate validation, tightening TLS parameters, and binding certificate identity to the application session. In Axum, this is typically done by configuring rustls on the server side and ensuring the client also validates the server certificate chain and hostname. Below are concrete, working examples that demonstrate a hardened mTLS setup.

Server-side: Require and verify client certificates

The server must be configured with a root CA that signs client certificates and must require valid client certificates. Use rustls::ServerConfig with client_auth_mandatory set to true and provide a verifier that checks the certificate chain against your trusted CA.

use axum::Server;
use rustls::{Certificate, PrivateKey, ServerConfig};
use rustls::pki_types::{CertificateDer, PrivateKeyDer, ServerName};
use std::net::SocketAddr;
use std::sync::Arc;

async fn make_server_config() -> Arc {
    // Load server cert and key
    let cert_chain = vec![CertificateDer::from(include_bytes("server.crt").to_vec())];
    let private_key = PrivateKeyDer::from(include_bytes("server.key").to_vec());

    // Load trusted client CA for verifying client certificates
    let client_ca_cert = CertificateDer::from(include_bytes("client-ca.crt").to_vec());

    let mut root_store = rustls::RootCertStore::empty();
    root_store.add(client_ca_cert).expect("invalid client CA");

    let client_auth = rustls::server::ClientAuthMandatory::Required(Arc::new(root_store));

    let config = ServerConfig::builder()
        .with_safe_defaults()
        .with_client_auth_mandatory(client_auth)
        .with_single_cert(cert_chain, private_key)
        .expect("invalid server certificate or key");

    Arc::new(config)
}

#[tokio::main]
async fn main() {
    let config = make_server_config().await;
    let addr = SocketAddr::from(([127, 0, 0, 1], 3000));

    let app = axum::Router::new()
        .route("/", axum::routing::get(|| async { "Hello mTLS" }));

    Server::bind(&addr)
        .https(hyper_rustls::TlsServer::new(config))
        .serve(app.into_make_service())
        .await
        .unwrap();
}

Client-side: Validate server certificate and hostname

The client should load the server CA and enable hostname verification to prevent connecting to a malicious server presenting a valid but wrong certificate.

use reqwest::Client;
use rustls::{ClientConfig, RootCertStore};
use rustls::pki_types::CertificateDer;
use std::sync::Arc;

async fn build_mtls_client() -> Client {
    // Load trusted server CA
    let server_ca = CertificateDer::from(include_bytes("server-ca.crt").to_vec());
    let mut root_store = RootCertStore::empty();
    root_store.add(server_ca).expect("invalid server CA");

    let client_config = ClientConfig::builder()
        .with_root_certificates(root_store)
        .with_no_client_auth(); // client auth handled by server; client presents cert optionally

    let tls_connector = std::sync::Arc::new(HyperTls::new());
    let client = Client::builder()
        .use_preconfigured_tls(client_config)
        .build()
        .unwrap();

    client
}

Additional hardening steps

  • Prefer strong cipher suites and disable legacy protocols by using with_safe_defaults() and explicitly setting versions to TLSv1.2 and TLSv1.3 only.
  • Validate extended key usage and subject fields in client certificates within your application logic to ensure the presented identity matches expectations.
  • Enable revocation checks (OCSP/CRL) via a custom verifier if your PKI infrastructure supports it; rustls supports custom server verifiers for this purpose.
  • Ensure that any reverse proxy or load balancer also enforces mTLS and does not forward unverified requests to the Axum backend.

By combining these code-level controls with periodic scans via middleBrick, you can verify that your Axum endpoints enforce mTLS correctly and reduce the window for effective MitM attacks.

Scan for man in the middle in axum Free API security scan

Frequently Asked Questions

Does enabling Mutual TLS in Axum automatically prevent all Man In The Middle attacks?
No. While mTLS significantly raises the bar, you must also enforce strict certificate validation, hostname checks, and strong cipher suites. Misconfigurations such as requesting but not requiring client certificates can still leave the connection vulnerable to interception.
How can I verify my Axum server’s mTLS configuration is correct?
Use a scanner like middleBrick to test whether the server requests and validates client certificates, and confirm that weak protocols or cipher suites are disabled. Combine automated scans with manual testing using a client that presents a valid certificate to ensure end-to-end verification.

Related Pages

Man In The Middle with Mutual TlsDiscover how Man-in-the-Middle attacks exploit mTLS vulnerabilities through certificate impersonation and validation bypMan In The Middle in AxumLearn how Man-in-the-Middle attacks target Axum Rust applications, including code-level risks, detection via middleBrickMan In The Middle in Axum on CloudflareMitM in Axum behind Cloudflare: risks from mixed TLS and header misconfigurations; enforce HTTPS, Full (Strict), HSTS, aMan In The Middle in Axum on AzureMan In The Middle in Axum with Azure: causes and Azure-specific fixes using HTTPS enforcement and secure HTTP clients.Man In The Middle in Axum on AwsUnderstand and fix Man In The Middle risks in Axum when integrating with AWS. Enforce TLS, validate certificates, and usMan In The Middle in Axum on DigitaloceanMan In The Middle risks for Axum on Digitalocean — causes and concrete Rust/TLS fixes with code examples.Iso 27001: Man In The Middle in AxumExplore ISO 27001 controls for MitM on Axum APIs, with concrete Rust code fixes and how middleBrick scans and integratioHipaa: Man In The Middle in AxumExplore HIPAA risks in Man-in-the-Middle scenarios with Axum, plus concrete Rust code to enforce TLS, mTLS, and secure eCis: Man In The Middle in AxumCis in Man In The Middle with Axum — exposure and remediation patterns, secure token handling code examples.Gdpr: Man In The Middle in AxumExplore GDPR risks in Man In The Middle with Axum, understand how interception exposes PII, and apply Axum-specific codeMan In The Middle in Axum with DynamodbMitM risks between Axum and DynamoDB stem from unencrypted traffic and weak validation; enforce TLS, use the AWS SDK secMan In The Middle in Axum with CockroachdbMan In The Middle in Axum with CockroachDB: causes and secure Rust code examples with enforced TLS and certificate valid