-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add client certificate and grpc backend builder options #133
Conversation
d9962c7
to
603fa2b
Compare
4930f94
to
77b981c
Compare
77b981c
to
ca3b46e
Compare
@@ -279,6 +280,19 @@ func (b *BackendOptions) SNIHostname(host string) *BackendOptions { | |||
return b | |||
} | |||
|
|||
// ClientCertificate sets the client certificate to be provided to the server as part of the SSL handshake. | |||
func (b *BackendOptions) ClientCertificate(certificate string, key secretstore.Secret) *BackendOptions { | |||
b.abiOpts.UseSSL(true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should other SSL-related things (CertHostname
, CACert
, Ciphers
, SNIHostname
, SSLMaxVersion
, SSLMinVersion
) also imply UseSSL(true)
? Feels like either all of them should or none of them should, and we should make it clear in the docs if so.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This behaviour was copied from the Rust SDK.
/// Provide the given client certificate to the server as part of the SSL handshake.
//
/// Setting this will enable SSL for the connection as a side effect. Both
/// the certificate and the key to use should be in standard PEM format;
/// providing the information in another format will lead to an error. We
/// suggest that (at least the) key should be held in something like the
/// Fastly secret store for security, with the handle passed to this function
/// without unpacking it via [`Secret::plaintext`]; the certificate can
/// be held in a less secure medium.
///
/// (If it is absolutely necessary to get the key from another source, we
/// suggest the use of [`Secret::from_bytes`]).
pub fn provide_client_certificate(
mut self,
pem_certificate: impl ToString,
pem_key: Secret,
) -> Self {
self.use_ssl = true;
self.client_certificate_info = Some((pem_certificate.to_string(), pem_key));
self
}
The other SSL-related calls also set use_ssl = true
in the Rust SDK. I'll update our implementation as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doc suggestions below. Otherwise LGTM.
ee7a169
to
49f359f
Compare
No description provided.