git-paf: possibility to provide custom trust anchors
hannesm opened this issue · comments
Currently, the ca-certs-nss is hardcoded. For some deployments, the git server has only a self-signed certificate, or a certificate signed by a custom CA. It would be nice if such deployment scenarios could be supported by git-paf.
See the issue robur-coop/dns-primary-git#9 (comment) for further information.
/cc @hb9cwp
So new API provide a way to us a custom trust anchor:
val with_optional_tls_config_and_headers :
?headers:(string * string) list ->
?tls_key_fingerprint:string ->
?tls_cert_fingerprint:string ->
Mimic.ctx ->
Mimic.ctx Lwt.t
If tls_key_fingerprint
or tls_cert_fingerprint
are not given, git-mirage-http
uses ca-certs-nss
. It's a good solution for you?
sure, though maybe a ?ca_cert:X509.Certificate.t
would be nice as well (for organisations with their own internal CA).
Do you prefer ?authenticator:X509.Authenticator.t
? I mean, this is the final value expected by Tls.Config.client
, it permits for me to delete the dependency on ca-certs-nss
(and you can make a functoria device to pass the value) and let the user to pass its own authenticator
. WDYT?
indeed, maybe a functoria device (defaulting to ca-certs-nss) makes sense.
I tried this solution and an authenticator as a device implies a module which should be passed to git_mirage_http
which seems not the best solution. Two possibilities exist for us:
- We can extend
Git_mirage_http.Make
to expect a fake module which will represents forfunctoria
the authenticator - but that mostly means that we pass the valueX509.Authenticator.t
and the module which is able to make/connect
this value - We should find something else which can be easily serializable via a simple string as
tls_key_fingerprint
/tls_cert_fingerprint
not sure yet. maybe we are fine with what you did recently, and we will get back to this at a later point in time?
not sure yet. maybe we are fine with what you did recently, and we will get back to this at a later point in time?
Yeah, I agree with that, it still is possible to give the certificate fingerprint 👍. I will let this issue open so.
Close by #555