David Arnold

I came to the conclusion, that if time and budget is to be spent on this issue, it ultimately should be made available upstream: https://github.com/SergioBenitez/Rocket/issues/1448 It looks as if this...

I've setup a testbed here: https://github.com/ContainerSolutions/trow/pull/193 → TTL can be set to something like 30 seconds here: https://github.com/ContainerSolutions/trow/pull/193/files#diff-ac309bd9e52a2419f8aaff3203228458fbaec4f7336192cf4f4ec269ec7befd3R7

### `trow-svc` with spiffe TLS ```console $ kubectl alpha debug -n trow-dev pod/trow-deploy-7bf6d8ddb6-hbdpk -i -t --image=curlimages/curl -- sh ... $ / $ curl --insecure -vvI https://trow-svc * Trying 10.43.106.163:443... *...

### `registry.local` with local cert ```console $ curl --insecure -vvI https://registry.local * Trying 127.0.0.1:443... * TCP_NODELAY set * Connected to registry.local (127.0.0.1) port 443 (#0) * ALPN, offering h2 *...

Absolutely in line with #184

SPIFFE _could_ (as one option) provide the mTLS machinery that might eventually be required.

I seams salvation would have to come from those lines: https://github.com/SergioBenitez/Rocket/blob/master/core/http/src/tls.rs Or rather here: https://github.com/ctz/rustls/issues/332 → ring

### marching through the institutions - [x] Add ec support to rustls [try] → https://github.com/ctz/rustls/pull/409 - [x] Add ec support to Rocket [try] → https://github.com/SergioBenitez/Rocket/pull/1449 - [x] Use patched `rustls`...

Yeah a test sounds like an excellent idea! I'll throw something together today.

@amouat https://github.com/SergioBenitez/Rocket/commit/af48d1f2e64ac353511c079855951c9cdc51177a It looks like this just unblocked. I would be very keen to be able to end-to-end test my poc setup from half a year ago on hope to...