-
-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support dynamic issuer in tls cert issuer logic #354
Comments
As discussed in private we will implement this with a Currently I was thinking of providing the entire Any other feedback or things we need to discuss before I start implementing this? |
Just go for dynamic traits, I don't think there's gonna be a performance issue. I have a hard time believing that channels are faster than it.
How would you plan on doing so? Don't think that is hidden if you have to expose the trait?
https://ramaproxy.org/docs/rama/net/tls/client/struct.ClientHello.html, do you mean this The only issue is that I'm not sure how boring exposes this https://docs.rs/boring/latest/boring/ssl/struct.SslRef.html <- that's the type you get as part of the callback that we can use to set certificates on the fly (e.g. with an issuer): https://docs.rs/boring/latest/boring/ssl/struct.SslContextBuilder.html#method.set_servername_callback We might need to switch over to using https://docs.rs/boring/latest/boring/ssl/struct.SslContextBuilder.html#method.set_async_select_certificate_callback instead. That one does give access to the client hello. Does require some trickery such as setting the waker etc... will need to be careful with that one. For rustls I'm not sure what there is needed. But In case that latter is too much, feel free to leave rustls unsupported for now, it's not supporting the current cert issue live in Do hit me up here or on Discord if there's something not clear or right. |
At the time of writing this issue there is already the following support for tls acceptor auth config:
Where
ServerCertIssuerData
is:and
ServerCertIssuerKind
is:The goal of this issue is to provide a third variant to
ServerCertIssuerKind
such that it becomes:The dynamic "thing" would support any kind of custom logic to support getting certs. The thing could receive some kind of
CertIssueInput
, for example:Proposed steps to resolve this issue:
Some approaches we can make this happen:
provide a trait
ServerCertIssuer
and work with a Box`; This approach is the most obvious but also not one I like as it means we have to box by defaultprovide a channel based approach such that the variant would become something like (pseudo code):
Generics is something we do want to avoid here as it would make the entire type and using it a lot more cumbersome / complicated. Even when not using this dynamic approach.
This kind of feature would allow the implementation of an external cert issuer, as to not have to keep the
CA
or physical proximity of the proxy. It could also allow dynamic cert selection. And many other use cases.The text was updated successfully, but these errors were encountered: