-
-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Public API to retrieve cert key and cert chain files written to the fs separately #40
Comments
I don't think this is right. When presenting a chain, you normally don't include the root (CA) cert, only the intermediate + leaf certs. And including the leaf and intermediate certs together in the same file is very standard, isn't it? It's easier operationally to deal with one file instead of several, and if you have multiple certs then it's better to specify each leaf+intermediates together, instead of specifying two leafs here and two chains there and then somehow having to figure out which leaf goes with which chain. I notice that the Apache mod_ssl docs describe the ...also, looking at the aiohttp patch you linked, I don't see any cert chain configuration? There's a There is a reasonable justification for keeping the private key separate from the cert, since they have different levels of sensitivity and the private key file might be password-protected. None of that really applies for trustme's use cases of course. You're right that passing the same file to two different options is a bit confusing, though I feel like the problem here is the server software for making this pointlessly confusing, given that they're all perfectly capable of reading everything out of a single file :-). Oh well, I guess that's life. I think the actual proposal here boils down to: adding a |
Apparently, it looks like we probably misuse cafile in Cheroot: https://github.com/cherrypy/cheroot/blob/d31adfe/cheroot/ssl/builtin.py#L104 While aiohttp uses it correctly: https://github.com/aio-libs/aiohttp/blob/master/aiohttp/worker.py#L191 wrt APIs in frameworks, I agree that it needs improvements and I think I'll work on it in Cheroot/CherryPy and aiohttp, but right now I wanted a less confusing way of integrating trustme with them :) TLS is hard sometimes and its current state in Python libs proves this. So yes, I guess for now |
Usually at high-level web servers expose separate configuration options for a certificate file, a private key file, and a certificate chain file.
Currently
trustme
forces users to use one file for both certificate file and its key file (as it aio-libs/aiohttp@c180800#diff-3ba621217225120eff2c061666b8043cR284) and use CA cert for chain option.From the API perspective, it looks confusing to any humble human being who isn't proficient in TLS.
When one looks at such tests they're puzzled: why options named explicitly as key and cert receive the same var? maybe it's a bug? what's going on here?
Same for cert chain: why does it look like instead of some mysterious chain file there's a certificate or the CA?
Proofs:
I think this use case deserves corresponding public APIs in place. What do you think?
The text was updated successfully, but these errors were encountered: