Add basic support for using self-signed TLS certificates #97
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* main: Fix DCAP verification tests following upgrade of dcap-qvl
ameba23
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds basic support for self-signed TLS certificates to the attested TLS protocol.
Options to add enables this on the vanilla proxy server and client are also provided.
But this PR does not allow them for the other commands: attested-get, get-tls-cert, attested-file-server.
These can be added following a planned refactor of the CLI configuration - as it is starting to get messy - or added at the point of needing them, as it is still not totally clear what our approach to self-signed is.
I wanted to gate this behind a feature flag, to enable builds which do not permit it. But it got complicated when setting up the CLI configuration. So i plan to keep it always enabled for the HTTP proxy, but have it on a feature flag for
attested-tlsonce that is refactored into a separate crate in #95