Enable TLS in vault #455

ashu3103 · 2024-08-04T16:33:06Z

WIP: Enable TLS between `curl` and `pgagroal-vault`

This commit is aimed to integrate the tls mode in pgagroal-vault similar to pgagroal for secure connections.

Add required fields in the vault configuration like tls, tls_cert_file, tls_ca_file and tls_key_file
Before handling the HTTP request, the vault will check whether the client wants to initiate TLS Handshake with ClientHello by peeking the first few bytes of the data after the establishing the connection and checking it against the ClientHello bytes.
Case1: If client initiates the TLS Handshake and config->tls is on, both server and client will do the TLS handshake and then server handles the upcoming HTTP request.
Case2: If client doesn't initiates the TLS Handshake and config->tls is on, the server will bypass TLS handshake and instead server handles the incoming HTTP request.
Case3: If client initiates the TLS Handshake and config->tls is off, the server will simply closes the connection and report appropriate errors.

jesperpedersen · 2024-08-04T18:09:47Z

We need to remove Case 2 - if TLS is on then it is mandatory for the clients

ashu3103 · 2024-08-07T14:19:20Z

We need to remove Case 2 - if TLS is on then it is mandatory for the clients

Done.

If Case 2 is encountered, an HTTP message with 301 (Redirect Message) code will be sent.

jesperpedersen · 2024-08-07T15:47:28Z

Merged.

Thanks for your contribution !

jesperpedersen requested review from jesperpedersen and fluca1978 August 4, 2024 18:07

jesperpedersen assigned ashu3103 Aug 4, 2024

jesperpedersen added the feature New feature label Aug 4, 2024

Enable TLS in vault

5fae10c

ashu3103 force-pushed the ssl-vault branch from d8e2346 to 5fae10c Compare August 7, 2024 14:17

jesperpedersen merged commit 5fae10c into agroal:master Aug 7, 2024
2 checks passed