Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

store all certificates, resolve the longer-lived ones #1115

Merged
merged 2 commits into from
Jun 25, 2024
Merged

store all certificates, resolve the longer-lived ones #1115

merged 2 commits into from
Jun 25, 2024

Conversation

Keksoj
Copy link
Contributor

@Keksoj Keksoj commented Jun 21, 2024

Until now, Sōzu replaces shorter-lived certificates when adding a new one.

This behaviour is imperfectly implement, and leads occasionnaly to confusing behaviours: a certificate with 2 domain names would be removed by a 1-domain-name certificate, leaving one of the domain names unresolved.

Instead of fixing the replacement of certificates, this PR changes the behaviour of the CertificateResolver:

  • all certificates are stored (unless explicitely removed)
  • resolving is done by pointing to the longest-lived certificate in storage, for a given domain name
  • when removing a certificate, the resolver falls back to the next-longest-lived certificate

@Keksoj Keksoj added the tls all regarding certificates and handshakes label Jun 21, 2024
@Keksoj @Wonshtrum
resolve longer-lived certificates
8b3462d 
store all certificates in the CertificateResolver,
keep track of the longer-lived ones using the name_fingerprint_idx
the unit tests control that the longer-lived certificates are
resolved and to fallback on shorter-lived ones if the longer-lived
are removed.

Co-Authored-By: Eloi DEMOLIS <[email protected]>
@Keksoj Keksoj force-pushed the fix-add-certificate branch from 1f7c530 to 8b3462d Compare June 21, 2024 14:50
@FlorentinDUBOIS FlorentinDUBOIS merged commit 18a20cb into main Jun 25, 2024
25 checks passed
@FlorentinDUBOIS FlorentinDUBOIS deleted the fix-add-certificate branch June 25, 2024 08:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FlorentinDUBOIS FlorentinDUBOIS FlorentinDUBOIS approved these changes

@Wonshtrum Wonshtrum Awaiting requested review from Wonshtrum Wonshtrum is a code owner

Assignees
No one assigned
Labels
tls all regarding certificates and handshakes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Keksoj @FlorentinDUBOIS