Open
Conversation
| Description | ||
| =========== | ||
|
|
||
| The ``certifier`` performs two basic tasks: 1) Load SSL certificates from file storage on demand. The total number of loaded certificates kept in memory can be configured. 2) Generates SSL certificates on demand. Generated certificates will be written to file storage for later retrieval. |
There was a problem hiding this comment.
basic tasks:
#. Load SSL ...
#. Generate SSL ...
|
|
||
| The ``certifier`` performs two basic tasks: 1) Load SSL certificates from file storage on demand. The total number of loaded certificates kept in memory can be configured. 2) Generates SSL certificates on demand. Generated certificates will be written to file storage for later retrieval. | ||
|
|
||
| To use this plugin, configure it in a :file:`plugin.config` rule, specifying certificates storage path, max number of certificates in memory, and signing cert+key+serial. For example: |
|
|
||
| To use this plugin, configure it in a :file:`plugin.config` rule, specifying certificates storage path, max number of certificates in memory, and signing cert+key+serial. For example: | ||
|
|
||
| certifier.so --store=/home/zeyuan/certifier/certs --max=1000 --sign-cert=/home/zeyuan/certifier/root-ca.crt --sign-key=/home/zeyuan/certifier/root-ca.key --sign-serial=/home/zeyuan/certifier/ca-serial.txt |
| Certificates management is done by `SslLRUList` (a Least-Recently-Used (LRU) list with a lookup map). The structure holding all info related to a given SNI is `SslData`. On lookup/insertion, the lookup map will be accessed and the corresponding `SslData` pointer will be moved to the head in the list. If on lookup/insertion the internal count exceeds the given limit on number of files, the tail node will be removed from both the list and the map. | ||
|
|
||
| When the plugin sees an incoming HTTPS request, it does: | ||
| 1) Look up the SNI in `SslLRUList` and set up the context if a valid context exists. Otherwise, it will schedule a thread to retrieve such context from disk (or generate). If such a thread is already scheduled, it will put this SSL connection onto the queue. |
There was a problem hiding this comment.
Use
#. Look up ...
#. The retriever ...
|
|
||
| Setup | ||
| ===== | ||
| * Signing cert, key, and serial |
There was a problem hiding this comment.
Certificate and key
For example, ...
Serial number
A text file containing ...
|
|
||
| certifier.so --store=/home/zeyuan/certifier/certs --max=1000 --sign-cert=/home/zeyuan/certifier/root-ca.crt --sign-key=/home/zeyuan/certifier/root-ca.key --sign-serial=/home/zeyuan/certifier/ca-serial.txt | ||
|
|
||
| Implementation |
There was a problem hiding this comment.
Put this as the last section, it is of the least general interest.
| ==================== | ||
|
|
||
| * Specify certificate generation related files. If any of the following parameters is missing, the dynamic generation will be disabled. | ||
| * ``--sign-cert=<path_to_certificate>`` (`optional`, default:empty/unused) - specifies the path to the root CA certficate. In most cases, this would be a self-signed certificate that is configured to be trusted by all potential clients. Path should be the path and file name of the cert. If it is relative, it is relative to the Traffic Server configuration directory. |
There was a problem hiding this comment.
I'd be tempted to use the definition list style instead of bulleted list.
* Specify certificate ...
``--sign-cert=<path_to_certificate>``
specifies the path to the root ...
|
|
||
| Example Usage | ||
| ============= | ||
| One use case would be routing incoming CONNECT request to another port on traffic server. With the certifier generating a trusted certificate, other plugins can act with a similar behavior to Man-In-The-Middle (logging interesting data for example). |
There was a problem hiding this comment.
This needs more depth in terms of operational set up. A plantuml sequence diagram would be nice.
dyrock
force-pushed
the
certifier_documentation
branch
from
ae4e291 to
166b368
Compare
SolidWallOfCode
approved these changes
Sep 19, 2018
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.