-
Notifications
You must be signed in to change notification settings - Fork 408
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support inline TLS Certificates and Keys #343
base: develop
Are you sure you want to change the base?
Conversation
My favourite configuration format would be like this: <set_option name="certificate">
<cacertificate>
<![CDATA[
-----BEGIN CERTIFICATE-----
<!-- ... -->
-----END CERTIFICATE-----
]]>
</cacertificate>
<certificate>
<![CDATA[
-----BEGIN CERTIFICATE-----
<!-- ... -->
-----END CERTIFICATE-----
]]>
</certificate>
<private_key password="secret">
<![CDATA[
-----BEGIN RSA PRIVATE KEY-----
<!-- ... -->
-----END RSA PRIVATE KEY-----
]]>
</private_key>
</set_option> or, when referencing files: <set_option name="certificate">
<cacertificate file="/path/to/ca_cert.pem">
<certificate file="/path/to/cert.pem">
<private_key file="/path/to/key.pem" password="secret">
</set_option> That would be a bigger change to how the existing Any ideas, suggestions or opinions, @nniclausse? |
Any preferences, @nniclausse? |
The patch looks good; i don't see a good reason to change the format though. Or am i missing something ? |
Just aesthetics. And I just noticed that you cannot provide the CA certificate chain inline as well (I don't need that, that's probably the reason why I forgot). |
maybe simply using |
duh, okay, you're right, that makes more sense. No need to have I'll try to refactor this over the weekend... |
This PR adds
<cert>
and<key>
under<set_option name="certificate">
:Previously it was only possible to provide certificates and keys via files. I need to be able to handle certificates and keys based on dynvar data (e.g. by extracting from responses or using file servers).
Notes
cert
andkey
will be run throughts_search:subst/2
thus supporting to have dynamic configurationerror_connect_option_*
if connection options are invalid (happens in certain cases where the provided certificate or key is not valid)error_connect_tls_bad_certificate
if the provided certificate could not be used