-
Notifications
You must be signed in to change notification settings - Fork 178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat!: renaming of TLS configuration parameters #1503
Conversation
Signed-off-by: Gabriele Baldoni <[email protected]>
Signed-off-by: Gabriele Baldoni <[email protected]>
DEFAULT_CONFIG.json5
Outdated
// This could be dangerous because your CA can have signed a server cert for foo.com, that's later being used to host a server at baz.com. If you wan't your | ||
// ca to verify that the server at baz.com is actually baz.com, let this be true (default). | ||
server_name_verification: null, | ||
verify_name_on_connect: null, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The comments above indicate the value for thic config can be false
or true
(default).
But here it's null
. Why ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TBH, I do not know, let me set it as true
pub const TLS_SERVER_NAME_VERIFICATION: &str = "server_name_verification"; | ||
pub const TLS_SERVER_NAME_VERIFICATION_DEFAULT: &str = "true"; | ||
pub const TLS_VERIFY_NAME_ON_CONNECT: &str = "verify_name_on_connect"; | ||
pub const TLS_VERIFY_NAME_ON_CONNECT_DEFAULT: &str = "true"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This TLS_VERIFY_NAME_ON_CONNECT_DEFAULT
const seems never used, and doesn't exist in zenoh-link-tls
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep I noticed it while doing the changes. I think in both QUIC and TLS we should use the default value when getting from the conf.
I'll fix it
Signed-off-by: Gabriele Baldoni <[email protected]>
Signed-off-by: Gabriele Baldoni <[email protected]>
22f2b3b
to
2226121
Compare
DEFAULT_CONFIG.json5
Outdated
enable_mtls: false, | ||
/// Path to the TLS connecting side private key | ||
connect_private_key: null, | ||
/// Path to the TLS client connecting side certificate |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove client
in comment.
Signed-off-by: Gabriele Baldoni <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some error messages were not updated (I may also have missed some).
Other than that LGTM.
}; | ||
} | ||
|
||
match (c.client_private_key(), c.client_private_key_base64()) { | ||
match (c.connect_private_key(), c.connect_private_key_base64()) { | ||
(Some(_), Some(_)) => { | ||
bail!("Only one between 'client_private_key' and 'client_private_key_base64' can be present!") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update error message with new keys
client_private_key.expose_secret(), | ||
)); | ||
} | ||
_ => {} | ||
} | ||
|
||
match (c.client_certificate(), c.client_certificate_base64()) { | ||
match (c.connect_certificate(), c.connect_certificate_base64()) { | ||
(Some(_), Some(_)) => { | ||
bail!("Only one between 'client_certificate' and 'client_certificate_base64' can be present!") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update error message with new keys
@@ -150,7 +151,7 @@ pub(crate) struct TlsServerConfig { | |||
|
|||
impl TlsServerConfig { | |||
pub async fn new(config: &Config<'_>) -> ZResult<TlsServerConfig> { | |||
let tls_server_client_auth: bool = match config.get(TLS_CLIENT_AUTH) { | |||
let tls_server_client_auth: bool = match config.get(TLS_ENABLE_MTLS) { | |||
Some(s) => s | |||
.parse() | |||
.map_err(|_| zerror!("Unknown client auth argument: {}", s))?, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update error message
@@ -248,14 +249,14 @@ pub(crate) struct TlsClientConfig { | |||
|
|||
impl TlsClientConfig { | |||
pub async fn new(config: &Config<'_>) -> ZResult<TlsClientConfig> { | |||
let tls_client_server_auth: bool = match config.get(TLS_CLIENT_AUTH) { | |||
let tls_client_server_auth: bool = match config.get(TLS_ENABLE_MTLS) { | |||
Some(s) => s | |||
.parse() | |||
.map_err(|_| zerror!("Unknown client auth argument: {}", s))?, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update error message
@@ -64,83 +64,84 @@ impl ConfigurationInspector<ZenohConfig> for TlsConfigurator { | |||
_ => {} | |||
} | |||
|
|||
match (c.server_private_key(), c.server_private_key_base64()) { | |||
match (c.listen_private_key(), c.listen_private_key_base64()) { | |||
(Some(_), Some(_)) => { | |||
bail!("Only one between 'server_private_key' and 'server_private_key_base64' can be present!") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update error message
client_private_key.expose_secret(), | ||
)); | ||
} | ||
_ => {} | ||
} | ||
|
||
match (c.client_certificate(), c.client_certificate_base64()) { | ||
match (c.connect_certificate(), c.connect_certificate_base64()) { | ||
(Some(_), Some(_)) => { | ||
bail!("Only one between 'client_certificate' and 'client_certificate_base64' can be present!") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update error message
@@ -152,7 +153,7 @@ pub(crate) struct TlsServerConfig { | |||
|
|||
impl TlsServerConfig { | |||
pub async fn new(config: &Config<'_>) -> ZResult<TlsServerConfig> { | |||
let tls_server_client_auth: bool = match config.get(TLS_CLIENT_AUTH) { | |||
let tls_server_client_auth: bool = match config.get(TLS_ENABLE_MTLS) { | |||
Some(s) => s | |||
.parse() | |||
.map_err(|_| zerror!("Unknown client auth argument: {}", s))?, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update error message
@@ -250,14 +251,14 @@ pub(crate) struct TlsClientConfig { | |||
|
|||
impl TlsClientConfig { | |||
pub async fn new(config: &Config<'_>) -> ZResult<TlsClientConfig> { | |||
let tls_client_server_auth: bool = match config.get(TLS_CLIENT_AUTH) { | |||
let tls_client_server_auth: bool = match config.get(TLS_ENABLE_MTLS) { | |||
Some(s) => s | |||
.parse() | |||
.map_err(|_| zerror!("Unknown client auth argument: {}", s))?, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update error message
@@ -62,83 +62,84 @@ impl ConfigurationInspector<ZenohConfig> for TlsConfigurator { | |||
_ => {} | |||
} | |||
|
|||
match (c.server_private_key(), c.server_private_key_base64()) { | |||
match (c.listen_private_key(), c.listen_private_key_base64()) { | |||
(Some(_), Some(_)) => { | |||
bail!("Only one between 'server_private_key' and 'server_private_key_base64' can be present!") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update error message
server_private_key.expose_secret(), | ||
)); | ||
} | ||
_ => {} | ||
} | ||
|
||
match (c.server_certificate(), c.server_certificate_base64()) { | ||
match (c.listen_certificate(), c.listen_certificate_base64()) { | ||
(Some(_), Some(_)) => { | ||
bail!("Only one between 'server_certificate' and 'server_certificate_base64' can be present!") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update error message
Signed-off-by: Gabriele Baldoni <[email protected]>
Signed-off-by: Gabriele Baldoni <[email protected]>
Signed-off-by: Gabriele Baldoni <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Names in TLS configuration can be improved, currently we have:
server_certificate
/server_certificate
-> used when listening TLS/QUICclient_certificate
/client_private_key
-> used when connecting TLS/QUICserver_name_verification
/client_auth
-> used configure behaviour in connect/listenThe concept of server and client are never mentioned in zenoh docs/configuration/examples, so it can be a bit misleading.
I suggest to rename:
server
=>listen
andclient
=>connect
for certificate/key,server_name_verification
=>verify_name_on_connect
andclient_auth
=>enable_mtls
So this will make clear that if you want to listen TLS/QUIC you need a listen certificate, when you want to connect you need a connect certificate.
Summarizing this PR introduces the following changes:
server_certificate
/server_private_key
->listen_certificate
/listen_private_key
client_certificate
/client_private_key
->connect_certificate
/connect_private_key
server_name_verification
->verify_name_on_connect
client_auth
->enable_mtls
Sister PRs: