feat!: renaming of TLS configuration parameters #1503
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Gabriele Baldoni <[email protected]>
gabrik
added
the
breaking-change
Signed-off-by: Gabriele Baldoni <[email protected]>
JEnoch
reviewed
Oct 3, 2024
DEFAULT_CONFIG.json5
Outdated
| // This could be dangerous because your CA can have signed a server cert for foo.com, that's later being used to host a server at baz.com. If you wan't your | ||
| // ca to verify that the server at baz.com is actually baz.com, let this be true (default). | ||
| server_name_verification: null, | ||
| verify_name_on_connect: null, |
There was a problem hiding this comment.
The comments above indicate the value for thic config can be false or true (default).
But here it's null. Why ?
There was a problem hiding this comment.
TBH, I do not know, let me set it as true
| pub const TLS_SERVER_NAME_VERIFICATION: &str = "server_name_verification"; | ||
| pub const TLS_SERVER_NAME_VERIFICATION_DEFAULT: &str = "true"; | ||
| pub const TLS_VERIFY_NAME_ON_CONNECT: &str = "verify_name_on_connect"; | ||
| pub const TLS_VERIFY_NAME_ON_CONNECT_DEFAULT: &str = "true"; |
There was a problem hiding this comment.
This TLS_VERIFY_NAME_ON_CONNECT_DEFAULT const seems never used, and doesn't exist in zenoh-link-tls
There was a problem hiding this comment.
Yep I noticed it while doing the changes. I think in both QUIC and TLS we should use the default value when getting from the conf.
I'll fix it
Signed-off-by: Gabriele Baldoni <[email protected]>
Signed-off-by: Gabriele Baldoni <[email protected]>
gabrik
force-pushed
the
feat/rename-tls-config
branch
from
22f2b3b
to
2226121
Compare
JEnoch
requested changes
Oct 3, 2024
DEFAULT_CONFIG.json5
Outdated
| enable_mtls: false, | ||
| /// Path to the TLS connecting side private key | ||
| connect_private_key: null, | ||
| /// Path to the TLS client connecting side certificate |
Signed-off-by: Gabriele Baldoni <[email protected]>
oteffahi
suggested changes
Oct 4, 2024
| }; | ||
| } | ||
|
|
||
| match (c.client_private_key(), c.client_private_key_base64()) { | ||
| match (c.connect_private_key(), c.connect_private_key_base64()) { | ||
| (Some(_), Some(_)) => { | ||
| bail!("Only one between 'client_private_key' and 'client_private_key_base64' can be present!") |
There was a problem hiding this comment.
Update error message with new keys
| client_private_key.expose_secret(), | ||
| )); | ||
| } | ||
| _ => {} | ||
| } | ||
|
|
||
| match (c.client_certificate(), c.client_certificate_base64()) { | ||
| match (c.connect_certificate(), c.connect_certificate_base64()) { | ||
| (Some(_), Some(_)) => { | ||
| bail!("Only one between 'client_certificate' and 'client_certificate_base64' can be present!") |
There was a problem hiding this comment.
Update error message with new keys
| @@ -150,7 +151,7 @@ pub(crate) struct TlsServerConfig { | |||
|
|
|||
| impl TlsServerConfig { | |||
| pub async fn new(config: &Config<'_>) -> ZResult<TlsServerConfig> { | |||
| let tls_server_client_auth: bool = match config.get(TLS_CLIENT_AUTH) { | |||
| let tls_server_client_auth: bool = match config.get(TLS_ENABLE_MTLS) { | |||
| Some(s) => s | |||
| .parse() | |||
| .map_err(|_| zerror!("Unknown client auth argument: {}", s))?, | |||
| @@ -248,14 +249,14 @@ pub(crate) struct TlsClientConfig { | |||
|
|
|||
| impl TlsClientConfig { | |||
| pub async fn new(config: &Config<'_>) -> ZResult<TlsClientConfig> { | |||
| let tls_client_server_auth: bool = match config.get(TLS_CLIENT_AUTH) { | |||
| let tls_client_server_auth: bool = match config.get(TLS_ENABLE_MTLS) { | |||
| Some(s) => s | |||
| .parse() | |||
| .map_err(|_| zerror!("Unknown client auth argument: {}", s))?, | |||
| @@ -64,83 +64,84 @@ impl ConfigurationInspector<ZenohConfig> for TlsConfigurator { | |||
| _ => {} | |||
| } | |||
|
|
|||
| match (c.server_private_key(), c.server_private_key_base64()) { | |||
| match (c.listen_private_key(), c.listen_private_key_base64()) { | |||
| (Some(_), Some(_)) => { | |||
| bail!("Only one between 'server_private_key' and 'server_private_key_base64' can be present!") | |||
| client_private_key.expose_secret(), | ||
| )); | ||
| } | ||
| _ => {} | ||
| } | ||
|
|
||
| match (c.client_certificate(), c.client_certificate_base64()) { | ||
| match (c.connect_certificate(), c.connect_certificate_base64()) { | ||
| (Some(_), Some(_)) => { | ||
| bail!("Only one between 'client_certificate' and 'client_certificate_base64' can be present!") |
| @@ -152,7 +153,7 @@ pub(crate) struct TlsServerConfig { | |||
|
|
|||
| impl TlsServerConfig { | |||
| pub async fn new(config: &Config<'_>) -> ZResult<TlsServerConfig> { | |||
| let tls_server_client_auth: bool = match config.get(TLS_CLIENT_AUTH) { | |||
| let tls_server_client_auth: bool = match config.get(TLS_ENABLE_MTLS) { | |||
| Some(s) => s | |||
| .parse() | |||
| .map_err(|_| zerror!("Unknown client auth argument: {}", s))?, | |||
| @@ -250,14 +251,14 @@ pub(crate) struct TlsClientConfig { | |||
|
|
|||
| impl TlsClientConfig { | |||
| pub async fn new(config: &Config<'_>) -> ZResult<TlsClientConfig> { | |||
| let tls_client_server_auth: bool = match config.get(TLS_CLIENT_AUTH) { | |||
| let tls_client_server_auth: bool = match config.get(TLS_ENABLE_MTLS) { | |||
| Some(s) => s | |||
| .parse() | |||
| .map_err(|_| zerror!("Unknown client auth argument: {}", s))?, | |||
| @@ -62,83 +62,84 @@ impl ConfigurationInspector<ZenohConfig> for TlsConfigurator { | |||
| _ => {} | |||
| } | |||
|
|
|||
| match (c.server_private_key(), c.server_private_key_base64()) { | |||
| match (c.listen_private_key(), c.listen_private_key_base64()) { | |||
| (Some(_), Some(_)) => { | |||
| bail!("Only one between 'server_private_key' and 'server_private_key_base64' can be present!") | |||
| server_private_key.expose_secret(), | ||
| )); | ||
| } | ||
| _ => {} | ||
| } | ||
|
|
||
| match (c.server_certificate(), c.server_certificate_base64()) { | ||
| match (c.listen_certificate(), c.listen_certificate_base64()) { | ||
| (Some(_), Some(_)) => { | ||
| bail!("Only one between 'server_certificate' and 'server_certificate_base64' can be present!") |
Signed-off-by: Gabriele Baldoni <[email protected]>
Signed-off-by: Gabriele Baldoni <[email protected]>
Signed-off-by: Gabriele Baldoni <[email protected]>
gabrik
requested review from
oteffahi
and removed request for
JEnoch,
OlivierHecart and
Charles-Schleich
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Names in TLS configuration can be improved, currently we have:
server_certificate/server_certificate-> used when listening TLS/QUICclient_certificate/client_private_key-> used when connecting TLS/QUICserver_name_verification/client_auth-> used configure behaviour in connect/listenThe concept of server and client are never mentioned in zenoh docs/configuration/examples, so it can be a bit misleading.
I suggest to rename:
server=>listenandclient=>connectfor certificate/key,server_name_verification=>verify_name_on_connectandclient_auth=>enable_mtlsSo this will make clear that if you want to listen TLS/QUIC you need a listen certificate, when you want to connect you need a connect certificate.
Summarizing this PR introduces the following changes:
server_certificate/server_private_key->listen_certificate/listen_private_keyclient_certificate/client_private_key->connect_certificate/connect_private_keyserver_name_verification->verify_name_on_connectclient_auth->enable_mtlsSister PRs: