Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

caddytls: Make peer certificate verification pluggable #4389

Merged
merged 35 commits into from Jun 2, 2022
Merged

caddytls: Make peer certificate verification pluggable #4389

merged 35 commits into from Jun 2, 2022

Conversation

Gr33nbl00d
Copy link
Contributor

@Gr33nbl00d Gr33nbl00d commented Oct 18, 2021
edited

Extension needed to fix #2341 by providing a plugin using this namespace to extend caddy with revocation checking
Needs review and will be discussed in #2341 before merge

@CLAassistant
Copy link

CLAassistant commented Oct 18, 2021
edited

CLA assistant check
All committers have signed the CLA.

@francislavoie francislavoie added the under review 🧐 Review is pending before merging label Oct 18, 2021
@francislavoie francislavoie added this to the v2.5.0 milestone Oct 18, 2021
francislavoie
francislavoie reviewed Oct 18, 2021
View reviewed changes
Copy link
Member

@francislavoie francislavoie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like where this is going 👍

modules/caddytls/clientcertvalidator.go Outdated Show resolved Hide resolved
modules/caddytls/clientcertvalidator.go Outdated Show resolved Hide resolved
modules/caddytls/connpolicy.go Show resolved Hide resolved
@Gr33nbl00d
Copy link
Contributor Author

Regarding cla i have seen i accidently commited with wrong alias/git username :( So not sure how to sign cla. Or i need to rebase that branche changing author and create a new pull request?

@francislavoie
Copy link
Member

francislavoie commented Oct 19, 2021
edited

You can amend your commits to change the authorship of the commits to match the email address that's on your github account (google it, there's instructions on rewriting commits).

Or, you can just add the email you committed with to your github account under https://github.com/settings/emails.

@francislavoie francislavoie changed the title Extension to allow custom verifyPeerCertificate methods via plugin caddytls: Make peer certificate verification pluggable Oct 19, 2021
@francislavoie francislavoie added the feature ⚙️ New feature or request label Oct 20, 2021
@mholt
Copy link
Member

mholt commented Nov 1, 2021

Will circle back around to this soon, thanks for maintaining it!

francislavoie
francislavoie reviewed Dec 12, 2021
View reviewed changes
modules/caddytls/connpolicy.go Outdated Show resolved Hide resolved
modules/caddytls/connpolicy.go Show resolved Hide resolved
modules/caddytls/connpolicy.go Outdated Show resolved Hide resolved
modules/caddytls/connpolicy.go Outdated Show resolved Hide resolved
Gr33nbl00d and others added 5 commits January 21, 2022 09:46
@Gr33nbl00d @francislavoie
Update modules/caddytls/connpolicy.go
3508007 
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
@Gr33nbl00d @francislavoie
Update modules/caddytls/connpolicy.go
b25dc33 
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
@Gr33nbl00d @francislavoie
Update modules/caddytls/connpolicy.go
cbf5cd3 
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
@Gr33nbl00d @francislavoie
Update modules/caddytls/connpolicy.go
8e5ae59 
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
@Gr33nbl00d
Merge branch 'master' into master
995fce7
@Gr33nbl00d
Copy link
Contributor Author

Hi Again,
i am back from vacation and will not cycle back to this :)

mholt
mholt requested changes Feb 2, 2022
View reviewed changes
Copy link
Member

@mholt mholt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, I like the idea and the implementation. I would like to review this in more detail when I have time, but overall I'm not opposed to this approach.

We should see how #4518 plays out before committing to this, though, since I want to make sure we get client auth right.

modules/caddytls/connpolicy.go Outdated Show resolved Hide resolved
modules/caddytls/connpolicy.go Outdated Show resolved Hide resolved
modules/caddytls/connpolicy.go Show resolved Hide resolved
modules/caddytls/connpolicy.go Outdated Show resolved Hide resolved
@mholt
Copy link
Member

mholt commented Feb 14, 2022

Thanks for keeping this updated. Still interested in this change, but need to see what the outcome / resulting consensus on #4518 is...

@mholt mholt modified the milestones: v2.5.0, v2.6.0 Mar 3, 2022
@mholt
Copy link
Member

mholt commented Jun 2, 2022
edited

CI tests seem stuck on this so I'm going to try closing and reopening.

@mholt mholt closed this Jun 2, 2022
@mholt mholt reopened this Jun 2, 2022
mholt
mholt requested changes Jun 2, 2022
View reviewed changes
Copy link
Member

@mholt mholt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Finally getting back to this. I'll probably push a commit or three soon.

modules/caddytls/connpolicy.go Outdated Show resolved Hide resolved
modules/caddytls/connpolicy.go Outdated Show resolved Hide resolved
modules/caddytls/connpolicy.go Outdated Show resolved Hide resolved
modules/caddytls/connpolicy.go Show resolved Hide resolved
@mholt mholt removed the under review 🧐 Review is pending before merging label Jun 2, 2022
@mholt mholt modified the milestones: v2.6.0, v2.5.2 Jun 2, 2022
mholt
mholt approved these changes Jun 2, 2022
View reviewed changes
Copy link
Member

@mholt mholt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks so much for the enhancement, @Gr33nbl00d -- sorry it took me a few months to get around to it. Happy to merge this in!

@mholt mholt merged commit 0a14f97 into caddyserver:master Jun 2, 2022
@francislavoie
Copy link
Member

FYI @Gr33nbl00d I spotted in the Go 1.19 release notes (draft notes, it's not out yet) that they're adding a new function ParseRevocationList. Is that useful for you? Might perform better or well enough to obviate the need for your custom parser?

@Gr33nbl00d
Copy link
Contributor Author

FYI @Gr33nbl00d I spotted in the Go 1.19 release notes (draft notes, it's not out yet) that they're adding a new function ParseRevocationList. Is that useful for you? Might perform better or well enough to obviate the need for your custom parser?

I see but according to the method signature they use a byte array as parameter and return a complete list.
This would still mean that the whole file is loaded into memory...

@mohammed90 mohammed90 mentioned this pull request Jan 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@francislavoie francislavoie francislavoie left review comments

@mholt mholt mholt approved these changes

Assignees
No one assigned
Labels
feature ⚙️ New feature or request
Projects
None yet
Milestone
v2.5.2
Development

Successfully merging this pull request may close these issues.

Allow revocation list for client cert auth
6 participants
@Gr33nbl00d @CLAassistant @francislavoie @mholt @FlorianRoettges @mintbomb27