-
Notifications
You must be signed in to change notification settings - Fork 90
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
require a TLS client certificate by default (#453)
This commit changes the `ClientAuth` type from `RequestClientCert` to `RequireAnyClientCert` by default. In general, a KES server should demand a client certificate. Otherwise, a client (the HTTP/TLS stack) may choose to not send a client certificate - even if one is available. For example, the HTTP stack may try to be smart and not send a client certificate if it determines that cannot be validated since its self-signed. Instead, the KES server's TLS should abort the handshake if the client does not send a certificate. However, in some cases we cannot enforce this. In particular, when some APIs should be accessible without TLS authentication, like `/v1/metrics`. In these cases, we have to make it optional for clients to send a certificate. However, disabling auth for some APIs is an advanced use case intended only for users who are aware of the implications. Signed-off-by: Andreas Auernhammer <github@aead.dev>
- Loading branch information
Showing
6 changed files
with
96 additions
and
86 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.