Skip to content

client_auth: wire up leaf verifier Caddyfile#6772

Merged
mholt merged 5 commits intomasterfrom
leaf-verifier-caddyfile
Jun 9, 2025
Merged

client_auth: wire up leaf verifier Caddyfile#6772
mholt merged 5 commits intomasterfrom
leaf-verifier-caddyfile

Conversation

@mohammed90
Copy link
Member

@mohammed90 mohammed90 commented Jan 7, 2025

Closes #6771

@mohammed90
client_auth: wire up leaf verifier Caddyfile
5a9471f 
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
@mohammed90 mohammed90 added bug 🐞 Something isn't working in progress 🏃‍♂️ Being actively worked on labels Jan 7, 2025
mohammed90
mohammed90 commented Jan 7, 2025
View reviewed changes
modules/caddytls/connpolicy.go Outdated
Comment on lines +949 to +952
if !strings.HasPrefix(modName, "load_") {
return d.Err("expected a leaf certificate loader module name prefixed with `load_`")
}
modName = strings.TrimPrefix(modName, "load_")
Copy link
Member Author

@mohammed90 mohammed90 Jan 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@francislavoie, what do you think of this from Caddyfile UX perspective?

Copy link
Member

@francislavoie francislavoie Jan 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need load_ at all?

Copy link
Member Author

@mohammed90 mohammed90 Jan 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought I should future-proof it in case other parameters are added besides the loaders. I thought the namespace will be clobbered if I don't distinguish them with a prefix or nest them into a block. I don't know...

Copy link
Member

@mholt mholt Jan 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The module name is already prefixed by tls.leaf_cert_loader.. Are there other "kinds" (?) of modules that go in this namespace that aren't loading?

Copy link
Member

@francislavoie francislavoie Jan 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't it be like verifier leaf file <filename> etc?

Copy link
Member Author

@mohammed90 mohammed90 Jan 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm saying what if leaf has more parameters in the future, not the loader modules. Anyways, looking at what VerifyClientCertificate does, I can't imagine any new behavioral parameters that may be added in the future.

The format verifier leaf file <filename> doesn`t work because it blocks the use multiple loaders, which is currently possible. In other words, this is now possible:

verifier leaf {
    file file-1.pem file-2.pem
    file more-cert.pem
    folder /path/to/cert/repo
}

The one-liner disallows this use.

Copy link
Member Author

@mohammed90 mohammed90 Apr 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've removed the load_ prefix. I've also made it accept either in-line or block, but not both. All good?

@mohammed90 mohammed90 force-pushed the leaf-verifier-caddyfile branch from 062de56 to 01fa65a Compare April 15, 2025 22:07
@mohammed90 mohammed90 mentioned this pull request Jun 7, 2025
Closed
@mohammed90 mohammed90 marked this pull request as ready for review June 9, 2025 10:11
mholt
mholt approved these changes Jun 9, 2025
View reviewed changes
Copy link
Member

@mholt mholt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you Mohammed! Love the test cases.

@mholt mholt merged commit 1481c04 into master Jun 9, 2025
20 checks passed
@mholt mholt deleted the leaf-verifier-caddyfile branch June 9, 2025 14:18
@mholt mholt removed the in progress 🏃‍♂️ Being actively worked on label Jun 9, 2025
@mholt mholt added this to the v2.10.1 milestone Jun 9, 2025
@BrewTestBot BrewTestBot mentioned this pull request Aug 22, 2025
Merged
1 task
mohammed90 added a commit to cedricziel/caddy that referenced this pull request Aug 29, 2025
@mohammed90
caddytls: wire up client_auth leaf verifier Caddyfile (caddyserver#6772)
be3e9f4 
* client_auth: wire up leaf verifier Caddyfile

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

* review feedback + tests

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

---------

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
@mohammed90 mohammed90 mentioned this pull request Oct 25, 2025
Merged
46 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mholt mholt mholt approved these changes

@francislavoie francislavoie Awaiting requested review from francislavoie

Assignees

No one assigned

Labels

bug 🐞 Something isn't working

Projects

None yet

Milestone

v2.10.1

Development

Successfully merging this pull request may close these issues.

trusted_leaf_certs functionality after its deprecation in Caddyfile

3 participants

@mohammed90 @mholt @francislavoie