search

cloudfoundry / cli

The official command line client for Cloud Foundry
https://docs.cloudfoundry.org/cf-cli
Apache License 2.0
1.75k stars 926 forks source link

Request to support client certificate when accessing cloud foundry with mutual TLS enabled. #1390

Open devtdeng opened 6 years ago

devtdeng commented 6 years ago

Command

cf ALL_COMMANDS when mutual TLS is enabled on cloud foundry side, and client certificate is a MUST.

What occurred

TLS handshake fails because cf cli can't provide client certificate.

What you expected to occur

Provide an option to support TLS client certificate .

CLI Version

All

CC API Endpoint Version

All

CF Trace

None

cf-gitbot commented 6 years ago

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/158023184

The labels on this github issue will be updated when the story is started.

abbyachau commented 5 years ago

Hi @tylerschultz @devtdeng I wanted to circle around about this enhancement. If you could please provide additional information (is this an issue with customers, etc), it would help us prioritise against the other GitHub issues we have. Thanks!

tylerschultz commented 5 years ago

Hi @abbyachau, I don't recall what I was doing in support of which issue, so customer evidence is not something I can help with anymore. I do recall investigating some sort of issue with the gorouter when mTLS was enabled, and came to the realization I was no longer able to use the CLI to communicate with cloud controller. There are many ways one might configure their load balancer and gorouter, and perhaps the situation I encountered is contrived. If you've not heard other complaints since this issue was logged then perhaps few, if any, users are bothered by this circumstance.

I have similar feature requests for scenarios where not using mTLS and are instead using self signed certificates. It would be nice to be able to supply the CA certificate to validate the cli's connection to the gorouter. This would mean CLI users would not need to skip SSL validation. The bosh cli provides this functionality, FWIW.

I'm happy to discuss any or all of this stuff more. LMK if you're interested.

abbyachau commented 5 years ago

Hey @tylerschultz many thanks for the response, sorry about the delay in response. Thanks for the explanation. We'll leave this open to see if it garners further conversation. Thanks again.