[Security-sig] Unified TLS API for Python
Wes Turner
wes.turner at gmail.com
Thu Jan 12 12:07:22 EST 2017
On Thursday, January 12, 2017, Cory Benfield <cory at lukasa.co.uk> wrote:
>
> On 11 Jan 2017, at 21:44, Wes Turner <wes.turner at gmail.com
> <javascript:_e(%7B%7D,'cvml','wes.turner at gmail.com');>> wrote:
>
> This may be a bit of a different use case (and possibly worth having in
> the first version of a new tls module):
>
> "Hitless TLS Certificate Rotation in Go"
> https://diogomonica.com/2017/01/11/hitless-tls-certificate-rotation-in-go/
>
> - Can/could this be done with only set_sni_callback ?
>
>
> Yes, it can be. Twisted has an extension module, txsni, that uses the SNI
> callback to choose which certificate to provide.
>
https://github.com/glyph/txsni
> This is basically identical to the Go GetCertificate callback function.
>
There's more config than just the cert, though. There are really two reqs
mentioned: SNI (Server Name Indication), and "hot" TLS config
detection/selection:
"""
The idea is to allow an administrator to force the whole cluster to migrate
away from an old root CA transparently, removing its existence from the
trust stores of all the nodes participating in the Swarm. This means that
we need control over the whole TLS config, instead of controlling only
which certificate is currently being served.
"""
'""
We chose to create a MutableTLSCreds
<https://github.com/docker/swarmkit/blob/master/ca/transport.go> struct,
which implements this TransportCredentials
<https://godoc.org/google.golang.org/grpc/credentials> interface and allows
the caller to simply change the TLS Config by calling LoadNewTLSConfig.
"""
IIUC, we'd currently have to create a new context to change any config
other than the cert?
>
> Cory
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/security-sig/attachments/20170112/01ccc665/attachment.html>
More information about the Security-SIG
mailing list