Open kevinmeziere opened 7 months ago
davepacheco
commented
7 months ago Thanks. In the latest release, I think you could use ConfigTls::Dynamic with your own rustls::ServerConfig to do this, right? (The fix in #902 looks simple enough, too.)
kevinmeziere
commented
7 months ago Yea thats the idea, get the key/cert and create a Some ConfigTls::AsBytes. I didn't go the ConfigTls::Dynamic route as it looked like that was maybe looking for its own TLS handler... but I could misunderstanding the usage.
davepacheco
commented
7 months ago Dropshot always constructs a rustls::ServerConfig. When you use ConfigTls::Dynamic, we use the one the caller provides directly:
https://github.com/oxidecomputer/dropshot/blob/59f102ee0d44ee324da1eb7a6804c2af55043e9e/dropshot/src/server.rs#L481
ConfigTls::AsBytes or ConfigTls::AsFile are just shortcuts for a common case. They boil down to:
https://github.com/oxidecomputer/dropshot/blob/59f102ee0d44ee324da1eb7a6804c2af55043e9e/dropshot/src/server.rs#L483-L537
So if you need a workaround, you can make your own rustls::ServerConfig using similar code, modified in the way you did in #902 to accept the kind of key you need.
Currently Dropshot ConfigTls expects a key that matches Item::Pkcs8Key. Some certificate authorities do not provide a key pair that matches this.
A concrete example is using a key pair obtained from tailscale cert. Today the only key proved by tailscale is an EC key.