tsung icon indicating copy to clipboard operation
tsung copied to clipboard
verified publisher icon processone

Support inline TLS Certificates and Keys

Open tisba opened this issue 7 years ago • 6 comments

This PR adds <cert> and <key> under <set_option name="certificate">:

<set_option name="certificate">
  <certificate>
    <cert>
      <![CDATA[
      -----BEGIN CERTIFICATE-----
      <!-- ... -->
      -----END CERTIFICATE-----
      ]]>
    </cert>
    <key>
      <![CDATA[
      -----BEGIN RSA PRIVATE KEY-----
      <!-- ... -->
      -----END RSA PRIVATE KEY-----
      ]]>
    </key>
  </certificate>
</set_option>

Previously it was only possible to provide certificates and keys via files. I need to be able to handle certificates and keys based on dynvar data (e.g. by extracting from responses or using file servers).

Notes

  • only one certificate and one key is currently supported
  • [x] data has to be provided in PEM encoded format
  • [x] cert and key will be run through ts_search:subst/2 thus supporting to have dynamic configuration
  • [x] New error counter events have been added
    • error_connect_option_* if connection options are invalid (happens in certain cases where the provided certificate or key is not valid)
    • error_connect_tls_bad_certificate if the provided certificate could not be used

tisba avatar Feb 04 '19 10:02 tisba

My favourite configuration format would be like this:

<set_option name="certificate">
  <cacertificate>
      <![CDATA[
      -----BEGIN CERTIFICATE-----
      <!-- ... -->
      -----END CERTIFICATE-----
      ]]>
  </cacertificate>
  <certificate>
      <![CDATA[
      -----BEGIN CERTIFICATE-----
      <!-- ... -->
      -----END CERTIFICATE-----
      ]]>
  </certificate>
  <private_key password="secret">
    <![CDATA[
      -----BEGIN RSA PRIVATE KEY-----
      <!-- ... -->
      -----END RSA PRIVATE KEY-----
    ]]>
  </private_key>
</set_option>

or, when referencing files:

<set_option name="certificate">
  <cacertificate file="/path/to/ca_cert.pem">
  <certificate file="/path/to/cert.pem">
  <private_key file="/path/to/key.pem" password="secret">
</set_option>

That would be a bigger change to how the existing <certificate> works though.

Any ideas, suggestions or opinions, @nniclausse?

tisba avatar Feb 04 '19 12:02 tisba

Any preferences, @nniclausse?

tisba avatar Feb 13 '19 18:02 tisba

The patch looks good; i don't see a good reason to change the format though. Or am i missing something ?

nniclausse avatar Feb 14 '19 14:02 nniclausse

Just aesthetics. <certificate><cert>... and <certificate><key>... feels clunky and redundant...

And I just noticed that you cannot provide the CA certificate chain inline as well (I don't need that, that's probably the reason why I forgot).

tisba avatar Feb 14 '19 14:02 tisba

maybe simply using ssl instead of certifcate could be better: <ssl><certificate> ...<ca_certificate> <key> ... </ssl>

nniclausse avatar Feb 14 '19 14:02 nniclausse

duh, okay, you're right, that makes more sense. No need to have <certificate> be used with multiple semantics at the same time!

I'll try to refactor this over the weekend...

tisba avatar Feb 14 '19 14:02 tisba