Matthew McPherrin
Matthew McPherrin
@csstaub did the changes in our fork get upstreamed to github? If not, we could "properly" fork (switch package name in imports to github.com/ghostunnel/ghostunnel/certstore) and avoid using the replace statement
Note this is achievable today simply by re-executing a new ghostunnel and killing the old one. Since it sets SO_REUSEPORT by default, you can run multiple instances in parallel. I...
huh the ebpf trick is neat; I hadn't seen that before. If we do in-process reloads, theoretically at least that's not really a concern as we could dispatch in-process on...
I would tend to prefer just putting them in the URL, but headers or JSON could be fine too. If I have a spare moment, I might get to this...
Not all clients support trusting CAs, and not all servers (eg, our networking gear) support serving certificates. Since we have the information anyways, we can just put them in the...
Yeah, supporting multiple kinds of known_hosts generation (including ca, hosts, or both) was planned in the original design doc (just hasn't been done yet). I'll make sure there's an issue...
@alokmenghrajani What do you think? Maybe we should support it if an external implementation is provided? I would like to avoid having crypto primitives in this library.
If webcrypto-liner supported chacha20/poly1305/x25519/ed25519, we could make js-jose work with that I think.
At some point, I think we'd like a way to have some control over this. In particular, I'd like to always issue some kind of "Default" service identity, but for...