Support SSL client cert and added ssl_client_cert option #2436
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Relevant Issue (if applicable)
#2357
Details
There is a request to use a client certificate when connecting s3fs to an S3 server.
This PR is its implementation.
Since s3fs uses libcurl, we have made it possible to specify the following libcurl options:
The
ssl_client_cert
option has been added to allow user to specify the libcurl parameters listed above.Specify the
ssl_client_cert
option in the following format:Specify the SSL client certificate file path.
If user are using NSS etc., you can specify a Nickname of cert.
Specify the SSL client certificate type (
PEM
,P12
(forPKCS#12
), etc.).This value is optional, and if omitted(unspecified or empty string), the
PEM
type will be used.Specify SSL private key.
This value is optional(unspecified or empty string).
If this value is omitted, the following
<Key Type>
and<Password>
fields are ignored.Specify the SSL private key type (
PEM
,P12
(forPKCS#12
), etc.).This value is optional, and if omitted(unspecified or empty string), the
PEM
type will be used.Specify a passphrase to access the SSL private key.
This value is optional, if omitted(unspecified or empty string), no passphrase will be set.
However, if user omit this value and the
S3FS_SSL_PRIVKEY_PASSWORD
environment is set, the value of this will be set as the passphrase (to avoid specifying a passphrase on the command line).NOTE
This modification has not tested the operation by specifying a client certificate.
(Maybe for that we need to have a client certificate verify function in s3proxy etc.)
Therefore, I believe that this option should remain an unofficial one even if this PR is merged.
I think it would be a good idea to change to the official option while checking its performance.
Finally, it maybe better to specify the passphrase in a file instead of just using options and environment variables.
@gaul
Please let me know your opinion on adding this option.