-
Notifications
You must be signed in to change notification settings - Fork 300
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dynamic TLS Certificates #778
Comments
The current version of FibJS supports SNI certificates, but this feature is not designed for updating certificates. However, the development branch of FibJS is currently upgrading the SSL library to OpenSSL, and SNI is considered an insecure protocol. Therefore, SNI support will not be included in the version of FibJS after upgrading to OpenSSL. Given that your requirement is to update certificates, I recommend restarting the server. Updating certificates is not a frequent operation, and introducing a callback during SSL handshake for this purpose may not be very worthwhile. |
I checked the documentation of node.js and found that it supports |
0c184d1 |
Imagine an object-based storage service with user-defined domains. The NGINX supports this feature using As a radical idea, I plan to use FibJS instead of NGINX as a reverse proxy in a CDN in the future. |
what about |
Yes, But it is good for only one Suppose that I have 10,000 secure contexts and each let contexts: Array<SecureContext> = [];
for (let row of db.select('domain_certificates')) {
contexts.push(createSecureContextFrom(row));
}
server.setSecureContext(contexts); // it is wrong.
If we have a user-defined function |
So the point is that you need SNI support insteed of changing cert. We need to consider a few issues:
As a solution, I'm considering whether we can achieve this by extending This way, SSL handshake can be done without switching to the JS environment. If required by the business, we can modify the certificate of the specified domain template at any time. |
good point. we should consider the lookup algorithms when there ars lots of certificates that need to be matched. We can use an optimized template algorithm to solve the scaling problem. For example, if the domain name is not a template, we use map to look it up, if it's not found in the map, then we use template traversal. |
and by using map, we can optimize template queries by continuously removing subdomains of the domain name and searching in different maps. |
In If SNI is disabled in the web browsers, how will the server send the right certificate?
I think that Can we have these two solutions ( |
yes.
the server just send the default certificate. Cloudflare works in that manner.
Actually, the problem does not lie with JavaScript, but rather with the environmental switch.
SNICallback is eaier, I just dont like it. I will think it over. |
Is it possible to define a function for your solution in CPP that does not have the environmental switch cost, but I can override it in JS? Or am I thinking wrong? Thank you for your time. |
plan A:We can first lookup the certificate for domain in cache, If it cannot be found, then call plan B:We can use ============= maybe plan A is better. It is easier to implement and the results of the code are easier to understand. |
I think Plan A is good. But, how can users manage the cache? Imagine that we have 10,000
In the long run, the cache will be polluted and should be cleared. FibJS uses Solution A Solution B Solution C |
What is the difference between plan A and plan B?
|
Cool, there are so many ideas. Let us sum up:
|
Let's look at some examples of edge cases:
So I think it is better to cache each |
sure, make sense. |
I created another issue (#779) to prevent this issue from being off topic. |
It's almost done. it looks like this: it('set/get', () => {
var ctx = tls.createSecureContext(true);
ctx.setSNIContext("test", sni_resolver("test"));
ctx.setSNIContext("test1", sni_resolver("test1"));
assert.equal(ctx.getSNIContext("test").cert.subject, 'CN=test');
assert.equal(ctx.getSNIContext("test1").cert.subject, 'CN=test1');
});
it('resolver', () => {
var ctx = tls.createSecureContext({
"SNIResolver": sni_resolver
}, true);
assert.equal(ctx.getSNIContext("test", true).cert.subject, 'CN=test');
assert.equal(ctx.getSNIContext("test1", true).cert.subject, 'CN=test1');
});
it('delete', () => {
var ctx = tls.createSecureContext(true);
ctx.setSNIContext("test", sni_resolver("test"));
ctx.setSNIContext("test1", sni_resolver("test1"));
ctx.removeSNIContext("test");
assert.equal(ctx.getSNIContext("test"), undefined);
assert.equal(ctx.getSNIContext("test1").cert.subject, 'CN=test1');
});
it('size', () => {
var ctx = tls.createSecureContext({
"SNICacheSize": 2
}, true);
ctx.setSNIContext("test", sni_resolver("test"));
ctx.setSNIContext("test1", sni_resolver("test1"));
ctx.setSNIContext("test2", sni_resolver("test2"));
assert.equal(ctx.getSNIContext("test"), undefined);
assert.equal(ctx.getSNIContext("test1").cert.subject, 'CN=test1');
assert.equal(ctx.getSNIContext("test2").cert.subject, 'CN=test2');
});
it('timeout', () => {
var ctx = tls.createSecureContext({
"SNICacheTimeout": 200
}, true);
ctx.setSNIContext("test", sni_resolver("test"));
coroutine.sleep(400);
assert.equal(ctx.getSNIContext("test"), undefined);
}); done. |
Everything looks very good 👌 |
Node.js provides
SNICallback
in itshttps
module to get the appropriate certificate dynamically, without needing a predefined set. This is a very useful feature, as it allows to change, add, or remove certificates without restarting the server.FibJS does not currently support this feature, but it would be great if it did. If FibJS were to support this feature, it would need to provide a
getCertificate(hostName)
method in itsSslServer
andHttpsServer
classes. This method would take thehostName
as an argument and return the appropriate certificate.The text was updated successfully, but these errors were encountered: