Add a transport library. #358
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| } | ||
|
|
||
| hosts := make([]string, 0, len(csr.DNSNames)+len(csr.IPAddresses)) | ||
| for i := range csr.DNSNames { |
|
It's possible this should be under |
| t.Fatal("key provider shouldn't have a key yet") | ||
| } | ||
|
|
||
| err = kp.Generate("ecdsa", 256) |
There was a problem hiding this comment.
For better test coverage you could add a test for Generate with "rsa" as well
|
Rebase off master to fix CI issues... |
|
|
||
| // Dial initiates a TLS connection to an outbound server. It returns a | ||
| // TLS connection to the server. | ||
| func Dial(address string, tr *Transport) (*tls.Conn, error) { |
There was a problem hiding this comment.
Why not:
func (tr *Transport) Dial(address string) (*tls.Conn, error)There was a problem hiding this comment.
The `crypto/tls` library does it this way: it's not
```
func (cfg *Config) Dial...
```
I just tried to keep that style to cut down on having to remember what
to use where.
The transport library provides tools for building TLS-secured client and server connections. It is designed to minimise the number of knobs and switches that are presented to end users, and supports features such as auto-updating of certificates.
The SHA384 GCM ciphersuites aren't supported in Go 1.4; instead of having version-specified suites, include them as manually-specified suites. The TLS package won't send ciphersuites it doesn't actually support, and there is no compile-time generation of the ciphersuite list.
TrustStore provides a mechanism for obtaining trusted roots. By default, it will use the system roots; otherwise, it will attempt to load certificates from a set of specified roots.
This commit simplifies the listener structure, and ensures that it satisfies the net.Listener interface.
* Move common functions to an example library. * Various clean ups: splitting things into separate functions and making it easier to extend the examples later. * Client sends a few messages this time, and the server will acknowledge them. In the future, a more extensive example might be useful.
This README explains how to bootstrap a CFSSL for use in the examples, how to run the server, and how to run the clients.
Add configurations to demonstrate the case where the remote CFSSL requires authentication.
This is mostly commentary adjustments via https://travis-ci.org/cloudflare/cfssl/jobs/87769654.
| @@ -0,0 +1,16 @@ | |||
| // Package ca provides the CertificateAuthority interface for the | |||
| // transport package, which provide an interface to get a CSR signed | |||
* Remove unused core/config.go file. Users should just use the `Dial` and `Listen` functions in the `transport` package. * Fix spelling and grammar issues. * Clean up formatting on JSON file.
| var ErrNoAuth = errors.New("transport: authentication is required for non-local remotes") | ||
|
|
||
| var v4Loopback = net.IPNet{ | ||
| IP: net.IP{127, 0, 0, 1}, |
There was a problem hiding this comment.
Threw me for a second. Maybe make it net.IP{127, 0, 0, 0}?
* Notation change in specifying local IPv4 network. * Explicitly mark AutoUpdate channels as write-only. * Add a recovery and associated critical log message in the event an autoupdate goroutine panics.
* Use "client" as the profile name for consistency with the authenticated version. * Add an error channel to server to demonstrate its use.
This was requested by @jkroll. Also adds package documentation.
| // New builds a new transport from an identity and a before time. The | ||
| // before time tells the transport how long before the certificate | ||
| // expires to start attempting to update when auto-updating. | ||
| func New(before time.Duration, identity *core.Identity) (*Transport, error) { |
There was a problem hiding this comment.
What happens if before > lifetime of a freshly issued cert?
There was a problem hiding this comment.
If the auto updater is running, every time it checks the time (e.g. every PollInterval seconds) it will request a new certificate.
|
Questions on certificate rollover, all in the context of very long running connections:
Otherwise a pleasure to read! |
|
Re: certificate rollover questions, the certificate is only used at the establishment of a connection so long-running connections can have the certificate swapped out from under them with no danger. Clients should auto-update when their certificate is close to expiration. The same logic applies, no restart needed. |
Question #1: "What happens if before > lifetime of a freshly issued cert?" Question #2: "Questions on certificate rollover, all in the context of very long running connections: * Does a server have to react to an updated cert by resetting connections? * Does a client have to AutoUpdate? * If yes, should a client restart connections as well on a new certificate?" Rekey was renamed to RefreshKeys, and the documentation now reflects this.
|
@lmb Answered these questions in the latest commit (so that they're also in the documentation now), but the gist is:
|
|
Looks good to merge. |
|
LGTM |
| errChan <- err | ||
| } | ||
|
|
||
| <-time.After(5 * time.Minute) |
There was a problem hiding this comment.
Added in transport/core/backoff.go
|
👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The transport library provides tools for building TLS-secured client
and server connections. It is designed to minimise the number of knobs
and switches that are presented to end users, and supports features
such as auto-updating of certificates.