TLS: Add different client cert support.#8076
Conversation
In addition to the CA and generic certificate, the script now creates client-only and server-only certificates. Also, skip intensive operations if target files already exist.
This adds a new tls-client-cert-file and tls-client-key-file configuration directives which make it possible to use different certificates for the TLS-server and TLS-client functions of Redis. This is an optional directive. If it is not specified the tls-cert-file and tls-key-file directives are used for TLS client functions as well.
oranagra
left a comment
There was a problem hiding this comment.
@yossigo i don't know TLS the various configuration well enough.
i assume everything that you moved from tlsConfigure into the new createSSLContext are settings that should apply to both client and server, and that what's left in tlsConfigure after the first call to createSSLContext are things that apply only to the server.
in which case it all looks good to me.
one thing i noticed is that these lines now exist in both:
SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE|SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);which means maybe they should be removed from tlsConfigure?
or alternatively, the second one seem to apply only to servers? so maybe needs to be removed from createSSLContext?
|
@oranagra Yes, |
|
@redis/core-team please approve the new configs |
This adds a new `tls-client-cert-file` and `tls-client-key-file` configuration directives which make it possible to use different certificates for the TLS-server and TLS-client functions of Redis. This is an optional directive. If it is not specified the `tls-cert-file` and `tls-key-file` directives are used for TLS client functions as well. Also, `utils/gen-test-certs.sh` now creates additional server-only and client-only certs and will skip intensive operations if target files already exist.
This adds a new
tls-client-cert-fileandtls-client-key-fileconfiguration directives which make it possible to use different
certificates for the TLS-server and TLS-client functions of Redis.
This is an optional directive. If it is not specified the
tls-cert-fileand
tls-key-filedirectives are used for TLS client functions as well.Fixes #7946