-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: Add GetClientCAs to tls.Config #16066
Comments
CC @agl |
Ping @agl. |
FWIW, I've implemented the patch yesterday to see how difficult it would be and it looks like it is simple. In essence, I've added a |
You need tests too, which I imagine will be more than 20 lines. |
True. So far I've only updated the |
You'll probably want something closer to an integration test than a single unit test. For things like this, it's too easy for a unit test to be misleading. |
OK, so far I was not successful finding a test for the |
@bradfitz Is there a way to run a specific test with Also, how can I provide the |
The same way as normal Go tests:
|
Works - of course ... I was using Thx for the quick reply. |
OK, so I have a patch with the changes and a full integration test which is an addition to the existing tests. This involved adding a new option to The tests check three cases:
I've generated the updated |
Submitted a CL with the code: https://go-review.googlesource.com/#/c/28773/ This is my first on this project so pls bear with me. |
CL https://golang.org/cl/28773 mentions this issue. |
Changed the signature of |
Pung. Left comments. |
Fixed except for one consistency thing. See comments |
This is very related to #15707 and #15699 Perhaps instead of adding a dozen hooks That is, instead of your: type Config struct {
ClientCAs *x509.CertPool
GetClientCAs func(*ClientHelloInfo) *x509.CertPool
} We could do: type Config struct {
ClientCAs *x509.CertPool
// GetClientConfig returns server TLS configuration specialized for
// the incoming user. The current supported fields are: ClientCAs.
// If a supported field is its zero value, the base *tls.Config value is used
// instead.
GetClientConfig func(*ClientHelloInfo) *Config
} /cc @dpiddy @FiloSottile for thoughts. |
Yes, please. That is what I was thinking in #15699 (comment). I had it also return |
And as I said there, too, I think to make it truly useful we'd need some more info added to ClientHelloInfo. |
@dpiddy, whoops, I totally missed that. An |
@dpiddy, like what? |
Again as I said in #15699 (comment) my immediate need was for ALPN info so I can conditionally choose whether to serve, say, http/2 to a client. |
Yes, that is better. Do we want to resolve it recursively since the returned Also, since we need to maintain
As for extending
I can update the patch later to see what this would look like. |
On the same note: What if the returned |
@magiconair as @bradfitz said I think it would be good to make clear that only certain items on the Config returned by GetConfig will be respected. Then the recursion and ordering issues can be avoided. Maybe having ALPN info on the ClientHello isn't absolutely necessary for what I'm trying to do. I could offer h2 or not and the client can accept it or not if it wants. Hopefully I'm thinking that through correctly. Also, @bradfitz, my last comment went out too quickly and ended up sounding short. That wasn't what I intended, sorry about that. Thanks for helping move this along! |
CL https://golang.org/cl/30752 mentions this issue. |
@bradfitz @danp I've added an implementation for the suggested /cc @dpiddy @FiloSottile |
CL https://golang.org/cl/30790 mentions this issue. |
@agl @bradfitz Shall I submit the patch I've added in the comment of https://golang.org/cl/30790 for replacing |
If you left a comment on that CL and @agl hasn't submitted it yet, he'll probably just address it before he submits. |
This (the CL 30790 approach) is exactly what we've been experimenting with at Cloudflare in our fork, and seems to work. Agreed with @danp that we'll need a few more fields in the CHI, but it should be another issue/proposal/CL. |
GetConfigForClient allows the tls.Config to be updated on a per-client basis. Fixes golang#16066. Fixes golang#15707. Fixes golang#15699. Change-Id: I2c675a443d557f969441226729f98502b38901ea Reviewed-on: https://go-review.googlesource.com/30790 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
GetConfigForClient allows the tls.Config to be updated on a per-client basis. Fixes golang#16066. Fixes golang#15707. Fixes golang#15699. Change-Id: I2c675a443d557f969441226729f98502b38901ea Reviewed-on: https://go-review.googlesource.com/30790 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
tls.Config
provides aGetCertificate
function for providing TLS certificates dynamically. I suggest to add aGetClientCAs
function to provide the same for theClientCAs
field.Rationale: On a server the
ClientCAs
field is used for client certificate authentication but to my knowledge it isn't possible to extend the list of client certificates at runtime without interruption of existing connections (restart service or listener) sincex509.CertPool
is a struct and not safe for use by multiple go routines. AGetClientCAs
function would also mirror theGetCertificate
function.I have written a reverse proxy http://github.com/eBay/fabio for which I've added the dynamic reloading of TLS certificates without restart and would like to provide the same functionality for the client cert authentication.
I'm willing to write the change if this is something that could be accepted. Target would be Go 1.8 obviously.
The text was updated successfully, but these errors were encountered: