dhtproxy: add server two-ways tls #432
Conversation
binarytrails
changed the title
binarytrails
force-pushed
the
proxy_two-ways-tls
branch
4 times, most recently
from
942dfe4
to
846ebf1
Compare
binarytrails
changed the title
binarytrails
changed the title
include/opendht/dht_proxy_server.h
Outdated
| @@ -74,7 +74,7 @@ class OPENDHT_PUBLIC DhtProxyServer | |||
| DhtProxyServer( | |||
| dht::crypto::Identity identity, | |||
| std::shared_ptr<DhtRunner> dht, in_port_t port = 8000, const std::string& pushServer = "", | |||
| std::shared_ptr<dht::Logger> logger = {}); | |||
| const std::string& client_certificate = "", std::shared_ptr<dht::Logger> logger = {}); | |||
There was a problem hiding this comment.
should be able to provide in-memory certificate (from shared_ptrcrypto::Certificate)
There was a problem hiding this comment.
@aberaud we could use the in-memory feature to add a client certificate to the ssl strore [1] however, this would require design changes to update them dynamically on the server instance. An interesting thread explaining the underlying issue is here [2] and the solution to update them dynamically would be at [1]. To recall this feature is to be able to validate multiple clients with their certificates at the store.
[1] http://think-async.com/Asio/asio-1.12.2/doc/asio/reference/ssl__context/add_certificate_authority/overload2.html
[2] http://boost.2283326.n4.nabble.com/ASIO-ssl-load-verify-file-td2577261.html
binarytrails
force-pushed
the
proxy_two-ways-tls
branch
from
846ebf1
to
ca20bbd
Compare
binarytrails
force-pushed
the
proxy_two-ways-tls
branch
from
1eebd70
to
a39bd22
Compare
aberaud
force-pushed
the
master
branch
9 times, most recently
from
f05b60d
to
dfd0a09
Compare
aberaud
force-pushed
the
master
branch
2 times, most recently
from
3eabdbd
to
f3223ef
Compare
aberaud
force-pushed
the
master
branch
12 times, most recently
from
966e620
to
fe6676f
Compare
run:
tools/dhtnode --proxyserverssl 8080 --proxy-certificate ca.pem --proxy-privkey key.priv --proxy-privkey-password x --proxy-client-certificate client-certificates.pem -vin memory:
It is possible to add in memory client certificates to the certificate authority store however, the fuction allowing it
add_certificate_authorityonly takes one at time thus, if this is the way taken instead of using an external file containing many added withload_verify_filedone at 92766f7, one should perhaps change the design to load other client certs dynamically or load many of them at run time with multiple args following--proxy-client-certificates.