Le 27/09/2019 à 18:07, Viktor Dukhovni a écrit :
On Fri, Sep 27, 2019 at 05:01:03PM +0200, Emmanuel Fusté wrote:
Next, more a feature request: I have some custom transports defined for
different/custom client side TLS certs and conf.
Client-side TLS certs typically have private keys that only root
can read, but tlsproxy(8) (optionally) chroots and then drops privs
at startup, after loading any default client-side keys/certs.
For this, we'd need a variant of the server-side SNI code, with the
keys and certs for various destinations are stored in a table that
is opened in "pre-jail" initialization while the process is still
running as root. The client code would then load appropriate
destination-specific keys from the table.
Just to be on the safe side with chroot, the CAfile and CApath are
also required to be the same for all tlsproxy clients, perhaps
this can be relaxed, as these files don't contain secrets, and
should be readable by unprivileged processes. With chroot jails,
it would be the administrator's responsibility to ensure that
suitable CAfile/CApath exist in the jail ($queue_directory).
Yes, that would be great.
Actually, custom transports (with it customs tlsproxy) fit my needs
without to much burden, so it is ok for now.
As usual, thank you for your detailed answer.
Emmanuel.
