add client certificate and grpc backend builder options #133
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dgryski
force-pushed
the
dgryski/client-cert
branch
3 times, most recently
from
d9962c7
to
603fa2b
Compare
cee-dub
reviewed
Aug 20, 2024
dgryski
force-pushed
the
dgryski/client-cert
branch
6 times, most recently
from
4930f94
to
77b981c
Compare
dgryski
changed the title
dgryski
force-pushed
the
dgryski/client-cert
branch
from
77b981c
to
ca3b46e
Compare
joeshaw
reviewed
Aug 21, 2024
| @@ -279,6 +280,19 @@ func (b *BackendOptions) SNIHostname(host string) *BackendOptions { | |||
| return b | |||
| } | |||
|
|
|||
| // ClientCertificate sets the client certificate to be provided to the server as part of the SSL handshake. | |||
| func (b *BackendOptions) ClientCertificate(certificate string, key secretstore.Secret) *BackendOptions { | |||
| b.abiOpts.UseSSL(true) | |||
There was a problem hiding this comment.
Should other SSL-related things (CertHostname, CACert, Ciphers, SNIHostname, SSLMaxVersion, SSLMinVersion) also imply UseSSL(true)? Feels like either all of them should or none of them should, and we should make it clear in the docs if so.
There was a problem hiding this comment.
This behaviour was copied from the Rust SDK.
/// Provide the given client certificate to the server as part of the SSL handshake.
//
/// Setting this will enable SSL for the connection as a side effect. Both
/// the certificate and the key to use should be in standard PEM format;
/// providing the information in another format will lead to an error. We
/// suggest that (at least the) key should be held in something like the
/// Fastly secret store for security, with the handle passed to this function
/// without unpacking it via [`Secret::plaintext`]; the certificate can
/// be held in a less secure medium.
///
/// (If it is absolutely necessary to get the key from another source, we
/// suggest the use of [`Secret::from_bytes`]).
pub fn provide_client_certificate(
mut self,
pem_certificate: impl ToString,
pem_key: Secret,
) -> Self {
self.use_ssl = true;
self.client_certificate_info = Some((pem_certificate.to_string(), pem_key));
self
}
The other SSL-related calls also set use_ssl = true in the Rust SDK. I'll update our implementation as well.
joeshaw
approved these changes
Aug 22, 2024
dgryski
force-pushed
the
dgryski/client-cert
branch
from
ee7a169
to
49f359f
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.