git-paf: possibility to provide custom trust anchors

Question

git-paf: possibility to provide custom trust anchors

hannesm opened this issue 3 years ago · comments

Currently, the ca-certs-nss is hardcoded. For some deployments, the git server has only a self-signed certificate, or a certificate signed by a custom CA. It would be nice if such deployment scenarios could be supported by git-paf.

See the issue robur-coop/dns-primary-git#9 (comment) for further information.

/cc @hb9cwp

Calascibetta Romain · Answer 1 · Tue Dec 14 2021 00:25:07 GMT+0800 (China Standard Time)

So new API provide a way to us a custom trust anchor:

val with_optional_tls_config_and_headers :
    ?headers:(string * string) list ->
    ?tls_key_fingerprint:string ->
    ?tls_cert_fingerprint:string ->
    Mimic.ctx ->
    Mimic.ctx Lwt.t

If tls_key_fingerprint or tls_cert_fingerprint are not given, git-mirage-http uses ca-certs-nss. It's a good solution for you?

Hannes Mehnert · Answer 2 · Tue Dec 14 2021 00:40:56 GMT+0800 (China Standard Time)

sure, though maybe a ?ca_cert:X509.Certificate.t would be nice as well (for organisations with their own internal CA).

Calascibetta Romain · Answer 3 · Tue Dec 14 2021 17:59:45 GMT+0800 (China Standard Time)

Do you prefer ?authenticator:X509.Authenticator.t? I mean, this is the final value expected by Tls.Config.client, it permits for me to delete the dependency on ca-certs-nss (and you can make a functoria device to pass the value) and let the user to pass its own authenticator. WDYT?

Hannes Mehnert · Answer 4 · Tue Dec 14 2021 18:05:13 GMT+0800 (China Standard Time)

indeed, maybe a functoria device (defaulting to ca-certs-nss) makes sense.

Calascibetta Romain · Answer 5 · Tue Dec 14 2021 18:55:50 GMT+0800 (China Standard Time)

I tried this solution and an authenticator as a device implies a module which should be passed to git_mirage_http which seems not the best solution. Two possibilities exist for us:

We can extend Git_mirage_http.Make to expect a fake module which will represents for functoria the authenticator - but that mostly means that we pass the value X509.Authenticator.t and the module which is able to make/connect this value
We should find something else which can be easily serializable via a simple string as tls_key_fingerprint/tls_cert_fingerprint

Hannes Mehnert · Answer 6 · Tue Dec 14 2021 19:41:09 GMT+0800 (China Standard Time)

not sure yet. maybe we are fine with what you did recently, and we will get back to this at a later point in time?

Calascibetta Romain · Answer 7 · Tue Dec 14 2021 19:51:11 GMT+0800 (China Standard Time)

not sure yet. maybe we are fine with what you did recently, and we will get back to this at a later point in time?

Yeah, I agree with that, it still is possible to give the certificate fingerprint 👍. I will let this issue open so.

Calascibetta Romain · Answer 8 · Thu Feb 03 2022 23:56:39 GMT+0800 (China Standard Time)

Close by #555