Add local TLS server #6662
Add local TLS server #6662
Conversation
sigmavirus24
force-pushed
the
fix-tls-floppy
branch
from
232042e
to
70541bb
Compare
| openssl req -key $< -new -out $@ -config cert.cnf | ||
|
|
||
| client.pem: client.csr | ||
| openssl x509 -req -CA ./ca/ca.crt -CAkey ./ca/ca-private.key -in client.csr -outform PEM -out client.pem -days 730 -CAcreateserial |
There was a problem hiding this comment.
nit; any reason we're using 730 days here v 7300 days above in tests/certs/expired/ca/Makefile?
Not an issue but we may want to keep them consistent or note the variance as significant.
There was a problem hiding this comment.
Certificate authorities should last significantly longer (20-25 years) per CAB forum. This is a cert issued by that which could theoretically live longer than the CA if we did the same expiration. I figured ~2 years would be sufficient for this test while helping us make sure the make targets keep working
sigmavirus24
force-pushed
the
fix-tls-floppy
branch
from
70541bb
to
b6d18eb
Compare
|
Ack didn't mean to add that roadmap file. Was a brain dump for years back |
Yeah I think having a handshake failure causes the socket to be in an unhappy place but I don't feel like making this a perfect server. |
sigmavirus24
force-pushed
the
fix-tls-floppy
branch
from
b6d18eb
to
98093d8
Compare
There was a problem hiding this comment.
Looks like .coverage.enoch.2677669.XurTNrNx may have accidentally been added? Otherwise, this looks good to me. Thanks @sigmavirus24!
.coverage.enoch.2677669.XurTNrNx
Outdated
There was a problem hiding this comment.
Was this meant to be included?
There was a problem hiding this comment.
Ah no. I'll kill this and force push and merge when green
| openssl req -key $< -new -out $@ -config cert.cnf | ||
|
|
||
| client.pem: client.csr | ||
| openssl x509 -req -CA ./ca/ca.crt -CAkey ./ca/ca-private.key -in client.csr -outform PEM -out client.pem -days 730 -CAcreateserial |
This also adds certificates for testing purposes and files to make it easy to generate/regenerate them. This also replaces an existing test of how we utilize our pool manager such that we don't connect to badssl.com Finally, this adds additional context parameters for our pool manager to account for mTLS certificates used by clients to authenticate to a server.
sigmavirus24
force-pushed
the
fix-tls-floppy
branch
from
98093d8
to
a94e9b5
Compare
This also adds certificates for testing purposes and files to make it easy to generate/regenerate them.
This also replaces an existing test of how we utilize our pool manager such that we don't connect to badssl.com
Finally, this adds additional context parameters for our pool manager to account for mTLS certificates used by clients to authenticate to a server.