Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SSL client cert and added ssl_client_cert option #2436

Merged
merged 1 commit into from
Apr 14, 2024
Merged

Support SSL client cert and added ssl_client_cert option #2436

merged 1 commit into from
Apr 14, 2024

Conversation

ggtakec
Copy link
Member

@ggtakec ggtakec commented Mar 24, 2024

Relevant Issue (if applicable)

#2357

Details

There is a request to use a client certificate when connecting s3fs to an S3 server.
This PR is its implementation.

Since s3fs uses libcurl, we have made it possible to specify the following libcurl options:

The ssl_client_cert option has been added to allow user to specify the libcurl parameters listed above.
Specify the ssl_client_cert option in the following format:

ssl_client_cert=<SSL Cert>[:<Cert Type>[:<Private Key>[:<Key Type>[:<Password>] ] ] ]
  • <SSL Cert>
    Specify the SSL client certificate file path.
    If user are using NSS etc., you can specify a Nickname of cert.
  • <Cert Type>
    Specify the SSL client certificate type (PEM, P12(for PKCS#12), etc.).
    This value is optional, and if omitted(unspecified or empty string), the PEM type will be used.
  • <Private Key>
    Specify SSL private key.
    This value is optional(unspecified or empty string).
    If this value is omitted, the following <Key Type> and <Password> fields are ignored.
  • <Key Type>
    Specify the SSL private key type (PEM, P12(for PKCS#12), etc.).
    This value is optional, and if omitted(unspecified or empty string), the PEM type will be used.
  • <Password>
    Specify a passphrase to access the SSL private key.
    This value is optional, if omitted(unspecified or empty string), no passphrase will be set.
    However, if user omit this value and the S3FS_SSL_PRIVKEY_PASSWORD environment is set, the value of this will be set as the passphrase (to avoid specifying a passphrase on the command line).

NOTE

This modification has not tested the operation by specifying a client certificate.
(Maybe for that we need to have a client certificate verify function in s3proxy etc.)
Therefore, I believe that this option should remain an unofficial one even if this PR is merged.
I think it would be a good idea to change to the official option while checking its performance.
Finally, it maybe better to specify the passphrase in a file instead of just using options and environment variables.

@gaul
Please let me know your opinion on adding this option.

@ggtakec ggtakec requested a review from gaul March 24, 2024 09:42
@ggtakec ggtakec mentioned this pull request Mar 24, 2024
Closed
@wil2business
Copy link

@ggtakec
I tested PR code( #2436 ) and fount the solution to work only in foreground mode.
I was not able to mount a directory using a background mode. Also, it did not generate any error message when I attempted to mount us in the background mode.
Thank you for working on this.

@gaul gaul merged commit 9502680 into s3fs-fuse:master Apr 14, 2024
19 checks passed
@ggtakec ggtakec deleted the ssl_client_cert branch April 14, 2024 08:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gaul gaul Awaiting requested review from gaul

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ggtakec @wil2business @gaul