Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proxy: optional server-side verification #166

Merged
merged 4 commits into from
Dec 29, 2022
Merged

proxy: optional server-side verification #166

merged 4 commits into from
Dec 29, 2022

Conversation

xhebox
Copy link
Collaborator

@xhebox xhebox commented Dec 28, 2022
edited
Loading

Signed-off-by: xhe xw897002528@gmail.com

What problem does this PR solve?

Issue Number: ref #136

Problem Summary: Serverless tier will provide CA now, which results into rejections to all clients without providing certs. This can be solved by not-specifying CA, or the new semantic of TLSConfig:

For a server TLS config, if ca is specified and skip-ca==true, server will not require clients to provide certs, but recommend/request clients to provide certs if any.

What is changed:

  1. new semantic for server TLS
  2. make createTempTLS private, expose CreateTLSCertificates to remove AutoTLS
  3. remove autoCertInterval, which is replaced by refactored certInfo.expire
  4. refactored cert manager tests to be simpler and cover more about rotation(improve coverage by 0.3%). Rotation(CA and certs) are covered by TestRotate. And TestInit covered some configuration tests. Internal details of certs should be covered by pkg/lib/util/security/cert_test.go.

Check List

Tests

  • Unit test
  • Integration test
  • Manual test (add detailed scripts or steps below)
  • No code

Notable changes

  • Has configuration change
  • Has HTTP API interfaces change (Don't forget to add the declarative for API)
  • Has tiproxyctl change
  • Other user behavior changes

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

None

@xhebox
proxy: optional server-side verification
7060ef9 
Signed-off-by: xhe <xw897002528@gmail.com>
@xhebox
*: rewords
69a2824 
Signed-off-by: xhe <xw897002528@gmail.com>
@xhebox
*: complete tests
88c5fe5 
Signed-off-by: xhe <xw897002528@gmail.com>
@xhebox xhebox requested a review from djshow832 December 28, 2022 05:17
djshow832
djshow832 reviewed Dec 29, 2022
View reviewed changes
Copy link
Collaborator

@djshow832 djshow832 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not just remove skip-ca?

@xhebox
Copy link
Collaborator Author

xhebox commented Dec 29, 2022
edited
Loading

Why not just remove skip-ca?

Then we can not enforce server-side verification if someone wants to do so. Or we can't let clients to skip cert checks.

@xhebox
*: fix CI
88e8399 
Signed-off-by: xhe <xw897002528@gmail.com>
@xhebox xhebox requested a review from djshow832 December 29, 2022 04:44
@djshow832 djshow832 merged commit 8bc079b into main Dec 29, 2022
@djshow832 djshow832 deleted the tls_5 branch December 29, 2022 08:59
@xhebox xhebox mentioned this pull request Dec 29, 2022
Closed
13 tasks
xhebox added a commit to xhebox/TiProxy that referenced this pull request Mar 7, 2023
@xhebox
proxy: optional server-side verification (pingcap#166)
5a10ed5
xhebox added a commit to xhebox/TiProxy that referenced this pull request Mar 13, 2023
@xhebox
proxy: optional server-side verification (pingcap#166)
5c7e9e7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djshow832 djshow832 djshow832 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@xhebox @djshow832