On Thursday, January 12, 2017, Cory Benfield <cory@lukasa.co.uk> wrote:
On 11 Jan 2017, at 21:44, Wes Turner <wes.turner@gmail.com <javascript:_e(%7B%7D,'cvml','wes.turner@gmail.com');>> wrote:
This may be a bit of a different use case (and possibly worth having in the first version of a new tls module):
"Hitless TLS Certificate Rotation in Go" https://diogomonica.com/2017/01/11/hitless-tls-certificate-rotation-in-go/
- Can/could this be done with only set_sni_callback ?
Yes, it can be. Twisted has an extension module, txsni, that uses the SNI callback to choose which certificate to provide.
https://github.com/glyph/txsni
This is basically identical to the Go GetCertificate callback function.
There's more config than just the cert, though. There are really two reqs mentioned: SNI (Server Name Indication), and "hot" TLS config detection/selection: """ The idea is to allow an administrator to force the whole cluster to migrate away from an old root CA transparently, removing its existence from the trust stores of all the nodes participating in the Swarm. This means that we need control over the whole TLS config, instead of controlling only which certificate is currently being served. """ '"" We chose to create a MutableTLSCreds <https://github.com/docker/swarmkit/blob/master/ca/transport.go> struct, which implements this TransportCredentials <https://godoc.org/google.golang.org/grpc/credentials> interface and allows the caller to simply change the TLS Config by calling LoadNewTLSConfig. """ IIUC, we'd currently have to create a new context to change any config other than the cert?
Cory