Providing Trusted Leaf Certificates to the Leaf Certificate Verifier

[mohammed90]

The leaf-certificate verifier in client authentication does not have a way to provide the trusted leaf certificate material without relying no the deprecated field trusted_leaf_certs, which was not meant to be the proxy forever and only left around as a bridge for existing users and not to be used after the introduction of the feature in #4389. At the moment, there's no way to configure the "verifier": "leaf"directly with new behavior only.

We should provide a way to provide the trusted certificates to the tls.client_auth.leaf module.

[armadi1809]

@mohammed90 I can take a look at this, unless you want to leave it for someone doing their first contribution.

[mohammed90]

Go for it!

[armadi1809]

Cool. I have a couple of questions though to make sure I understand this right.

1. Currently, what happens when we include the { "verifier" : "leaf"} in our config without using the deprecated trusted_leaf_certs field? I am assuming it doesn't do anything?

2. How do you envision this being implemented? Should it be a sub-directive of the verifier directive?

[mohammed90]

• Currently, what happens when we include the { "verifier" : "leaf"} in our config without using the deprecated trusted_leaf_certs field? I am assuming it doesn't do anything?

Per the code here:

caddy/modules/caddytls/connpolicy.go

Lines 561 to 567 in 4181c79

	for _, trustedLeafCert := range l.TrustedLeafCerts {
	if remoteLeafCert.Equal(trustedLeafCert) {
	return nil
	}
	}
	return fmt.Errorf("client leaf certificate failed validation")

It'll return an error in the last line

• How do you envision this being implemented? Should it be a sub-directive of the verifier directive?

Start by figuring out the JSON first, not the Caddyfile. Consider that the source of the certificates can be from various sources, so it should be pluggable.