Open kevinmeziere opened 7 months ago
Thanks. In the latest release, I think you could use ConfigTls::Dynamic
with your own rustls::ServerConfig
to do this, right? (The fix in #902 looks simple enough, too.)
Yea thats the idea, get the key/cert and create a Some ConfigTls::AsBytes. I didn't go the ConfigTls::Dynamic route as it looked like that was maybe looking for its own TLS handler... but I could misunderstanding the usage.
Dropshot always constructs a rustls::ServerConfig
. When you use ConfigTls::Dynamic
, we use the one the caller provides directly:
https://github.com/oxidecomputer/dropshot/blob/59f102ee0d44ee324da1eb7a6804c2af55043e9e/dropshot/src/server.rs#L481
ConfigTls::AsBytes
or ConfigTls::AsFile
are just shortcuts for a common case. They boil down to:
https://github.com/oxidecomputer/dropshot/blob/59f102ee0d44ee324da1eb7a6804c2af55043e9e/dropshot/src/server.rs#L483-L537
So if you need a workaround, you can make your own rustls::ServerConfig
using similar code, modified in the way you did in #902 to accept the kind of key you need.
Currently Dropshot ConfigTls expects a key that matches Item::Pkcs8Key. Some certificate authorities do not provide a key pair that matches this.
A concrete example is using a key pair obtained from tailscale cert. Today the only key proved by tailscale is an EC key.