If @antirez ships SSL support for Redis I promise to never whine about Redis on Twitter again
@TheAmazingRando stunnel also doesn’t work at all if you want many-to-one mutual SSL authentication
-
-
@bascule How exactly it "doesn't work"?@TheAmazingRando -
@mtrojnar@TheAmazingRando how do I reject clients if their client certs aren't signed by our S2S CA or don't belong to a given OU? -
@bascule I'm currently designing an interface to restrict allowed peers based on intermediate certs or CN/SAN/O/OU.@TheAmazingRando -
@mtrojnar@TheAmazingRando cool! However native termination could also enable setting grants/ACLs for e.g. Redis around client certs -
@bascule Please drop me a line with your ideas for preferred configuration syntax. Do you know any existing tools with similar features? -
@mtrojnar well, I don't think this is possible without native termination. MySQL's REQUIRE SUBJECT does what I'm describing -
@bascule Native SSL is always the most flexible. Alternatively, stunnel can send cert info as "proxy" prot. sends IP: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt … -
@mtrojnar oh right, that other fun part where stunnel obscures the client's IP address ;) - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.