Go client SDK and command line utility designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.
Why is it necessary to customize the client TLS renegotiation?
The TPP API server is served by Microsoft Windows Server and IIS.
IIS uses TLS-1.2 by default[1] and it uses a
TLS-1.2 feature called "renegotiation" to allow client certificate
settings to be configured at the folder level. e.g.
https://tpp.example.com/vedauth may Require or Accept client
certificates while https://tpp.example.com/vedsdk may Ignore
client certificates.
When IIS is configured this way it behaves as follows[2]:
"Server receives a connection request on port 443; it begins a
handshake. The server does not ask for a client certificate. Once
the handshake is completed, the client sends the actual target URL
as a HTTP request in the SSL tunnel. Up to that point, the server
did not know which page was targeted; it only knew, at best, the
intended server name (through the Server Name Indication). Now
that the server knows which page is targeted, he knows which
"site" (i.e. part of the server, in IIS terminology) is to be
used."
In this scenario, the Go HTTP client MUST be configured to
renegotiate (by default it will refuse to renegotiate).
We use RenegotiateOnceAsClient rather than RenegotiateFreelyAsClient
because cert-manager establishes a new HTTPS connection for each API
request and therefore should only ever need to renegotiate once in this
scenario.
You can supply a custom http.Client where the transport has been configured with tls.RenegotiateOnceAsClient,
but the disadvantage of this alternative is that you also have to recreate all the other default http.Client settings that are normally set by vcert.
BUSINESS PROBLEM
Why is it necessary to customize the client TLS renegotiation?
PROPOSED SOLUTION
Allow user to supply
tls.RenegotiateOnceAsClient
when configuring the vcert client:https://github.com/Venafi/vcert/blob/a30535acfbeac7a1d5d1c8fe450a772d6c6faa68/config.go#L52-L66
CURRENT ALTERNATIVES
You can supply a custom
http.Client
where the transport has been configured withtls.RenegotiateOnceAsClient
, but the disadvantage of this alternative is that you also have to recreate all the other defaulthttp.Client
settings that are normally set by vcert.