Support inline TLS Certificates and Keys #343
Conversation
|
My favourite configuration format would be like this: <set_option name="certificate">
<cacertificate>
<![CDATA[
-----BEGIN CERTIFICATE-----
<!-- ... -->
-----END CERTIFICATE-----
]]>
</cacertificate>
<certificate>
<![CDATA[
-----BEGIN CERTIFICATE-----
<!-- ... -->
-----END CERTIFICATE-----
]]>
</certificate>
<private_key password="secret">
<![CDATA[
-----BEGIN RSA PRIVATE KEY-----
<!-- ... -->
-----END RSA PRIVATE KEY-----
]]>
</private_key>
</set_option>or, when referencing files: <set_option name="certificate">
<cacertificate file="/path/to/ca_cert.pem">
<certificate file="/path/to/cert.pem">
<private_key file="/path/to/key.pem" password="secret">
</set_option>That would be a bigger change to how the existing Any ideas, suggestions or opinions, @nniclausse? |
tisba
changed the title
|
Any preferences, @nniclausse? |
|
The patch looks good; i don't see a good reason to change the format though. Or am i missing something ? |
|
Just aesthetics. And I just noticed that you cannot provide the CA certificate chain inline as well (I don't need that, that's probably the reason why I forgot). |
|
maybe simply using |
|
duh, okay, you're right, that makes more sense. No need to have I'll try to refactor this over the weekend... |
This PR adds
<cert>and<key>under<set_option name="certificate">:Previously it was only possible to provide certificates and keys via files. I need to be able to handle certificates and keys based on dynvar data (e.g. by extracting from responses or using file servers).
Notes
certandkeywill be run throughts_search:subst/2thus supporting to have dynamic configurationerror_connect_option_*if connection options are invalid (happens in certain cases where the provided certificate or key is not valid)error_connect_tls_bad_certificateif the provided certificate could not be used