verify = flag.Bool("web.tls.verify", false, "Disable client verification")
...
if *verify {
pool := x509.NewCertPool()
cabs, err := ioutil.ReadFile(*caPath)
if err != nil {
log.Fatalf("Could not open ca file,, " + err.Error())
}
ok := pool.AppendCertsFromPEM(cabs)
if !ok {
log.Fatalf("Failed loading ca certs")
}
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
tlsConfig.ClientCAs = pool
}
So it seems that this option is to enable client verification (and defaults to false). Should the help text output be updated to reflect this?
(Aside: two commas in error message?)
Issue 2: it's unclear what sort of verification is done on client certs. My best assumption is: the server will accept any client cert, as long as it's signed by any CA in the web.tls.ca file. That is: it does not check the certificate identity or fingerprint.
If that's true, you'd have to set up a separate dummy CA for client authentication, rather than using any existing PKI. I don't have a problem with this, I just want to ensure I understand it properly.
I plan to run exporter_export as a TLS server.
Issue 1:
--helpoutput says:Looking at the code:
So it seems that this option is to enable client verification (and defaults to false). Should the help text output be updated to reflect this?
(Aside: two commas in error message?)
Issue 2: it's unclear what sort of verification is done on client certs. My best assumption is: the server will accept any client cert, as long as it's signed by any CA in the
web.tls.cafile. That is: it does not check the certificate identity or fingerprint.If that's true, you'd have to set up a separate dummy CA for client authentication, rather than using any existing PKI. I don't have a problem with this, I just want to ensure I understand it properly.