-
Notifications
You must be signed in to change notification settings - Fork 468
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add client certificate, require client certificate verification #1924
Conversation
…into external-signer-mtls-client
arbnode/dataposter/data_poster.go
Outdated
@@ -175,22 +175,32 @@ func NewDataPoster(ctx context.Context, opts *DataPosterOpts) (*DataPoster, erro | |||
} | |||
|
|||
func rpcClient(ctx context.Context, opts *ExternalSignerCfg) (*rpc.Client, error) { | |||
rootCrt, err := os.ReadFile(opts.RootCA) | |||
clientCert, err := tls.LoadX509KeyPair(opts.ClientCert, opts.ClientPrivateKey) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think running in such a configuration would be generally advisable, but could we make the client certificate optional just in case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, can we default to reading the private key from the cert file if the private key option isn't separately specified? It's just a slight quality of life improvement, as often times the cert and key are in the same file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed client certificate to be optional.
As for private key being in the same file as cert file, I think this is generally discouraged since private key and certificate files should generally have different access controls. Although if we have justification why we need it anyway, I'll add it.
I think this PR might have accidentally updated the nitro-testnode submodule |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
…/nitro into external-signer-mtls-client
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
No description provided.