New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add 'certs' option to TLS block for multi-certs support #4889
Conversation
This does not add tests or docs, this is to sound out how people feel about the API. Turn the TLS options cert_file and key_file into list-separated paths (so colon-delimited if on Unix, like `$PATH`); the count of entries must match, and the keys and certs should zip together. With this change, TLS SNI works to pick the correct cert to return for a given connection, allowing a NATS server to have multiple identities.
c129fcf
to
3009f4d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens if given a config block with a present-but-empty list of certificates?
tls {
certs: []
}
server/opts.go
Outdated
case "key_file": | ||
certPair.KeyFile = file | ||
default: | ||
return nil, &configErr{tk, fmt.Sprintf("error parsing tls certs config, unknown field [%q]", k)} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tiny nit, %q
will already quote, so the square brackets seem redundant
937607a
to
5a0d33e
Compare
that would have been the same as doing this:
which also makes the server start with TLS 'configured' but actually cannot be used. I think we should change to prevent this?
I think this needs a separate bug fix, since need to consider the leafnode TLS remote case where no cert is configured but want to change the tls timeout:
|
5a0d33e
to
36df4a2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - Minor nit
36df4a2
to
936afe3
Compare
``` tls { certs = [ { cert_file: "./configs/certs/srva-cert.pem" key_file: "./configs/certs/srva-key.pem" }, { cert_file: "./configs/certs/srvb-cert.pem" key_file: "./configs/certs/srvb-key.pem" } ] ca_file: "./configs/certs/ca.pem" verify: true timeout: 2 } ``` Signed-off-by: Waldemar Quevedo <wally@nats.io>
936afe3
to
a3f98bc
Compare
Includes: - Check all filterSubjects of consumers when purging a stream (#4873) - Move tokenizing of subject after early returns (#4880) - Move helper subjectInfo() to the file where it's used (#4881) - JSAPI internal routing and reporting and Source and Mirror setup (#4884) - Do not load all blocks for NumPending when delivery is LastPerSubject. (#4885) - Detect corrupt psim subjects during recovery of index.db (#4890) - Add 'certs' option to TLS block for multi-certs support (#4889)
This adds a
certs
option to thetls
block to support loading multiple certs:Follow up from #2029