deno icon indicating copy to clipboard operation
deno copied to clipboard
verified publisher icon denoland

feat(ext/net): Add support for client certificate and key to Deno.startTls

Open emrul opened this issue 2 years ago • 4 comments

Deno.connectTls already supports these options and there seems to be no reason for missing startTls. See #21496

<-- TODO 3. Ensure there are tests that cover the changes. 4. Ensure cargo test passes. 5. Ensure ./tools/format.js passes without changing files. 6. Ensure ./tools/lint.js passes. 7. Open as a draft PR if your work is still in progress. The CI won't run all steps, but you can add '[ci]' to a commit message to force it to. 8. If you would like to run the benchmarks on the CI, add the 'ci-bench' label. -->

emrul avatar Dec 07 '23 17:12 emrul

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Dec 07 '23 17:12 CLAassistant

This is looking good, but I am a little worried about testing here. We currently test STARTTLS against smtp.gmail.com which I am not a fan of. I'd be interested to see if you can easily add a STARTTLS-supporting server to test_server.

mmastrac avatar Dec 08 '23 02:12 mmastrac

Thanks @mmastrac - I wasn't sure what testing would look like either and we might be able to do better than test a third-party public endpoint. How about an embedded SMTP/NATS server for testing purposes?

Edit: How about something like GreenMail which is intended for testing purposes and supports SSL. Would that work for the Deno team?

emrul avatar Dec 08 '23 06:12 emrul

Thanks @mmastrac - I wasn't sure what testing would look like either and we might be able to do better than test a third-party public endpoint. How about an embedded SMTP/NATS server for testing purposes?

Edit: How about something like GreenMail which is intended for testing purposes and supports SSL. Would that work for the Deno team?

I think that GreenMail is probably too heavyweight, but I think it would be reasonably easy to write a very basic SMTP-like service using rustls-tokio-stream. We already have a TLS server -- it should be pretty simple to have a second one that reads a plaintext line and then starts TLS.

If you'd like to take a crack at it, happy to offer some guidance on that part.

/// This server responds with 'PASS' if client authentication was successful. Try it by running
/// test_server and
///   curl --cacert cli/tests/testdata/tls/RootCA.crt https://localhost:4553/
async fn run_tls_server() {
  let mut tls =
    get_tls_listener_stream("tls", TLS_PORT, Default::default()).await;
  while let Some(Ok(mut tls_stream)) = tls.next().await {
    tokio::spawn(async move {
      tls_stream.write_all(b"PASS").await.unwrap();
    });
  }
}

mmastrac avatar Dec 14 '23 22:12 mmastrac

@bartlomieju I need this PR. Is it okay if I do git cherry-pick emrul's commits based on the current main branch and create a new PR?

nana4gonta avatar Jan 30 '25 04:01 nana4gonta

closing this because it's old

ry avatar Mar 21 '25 02:03 ry