If @antirez ships SSL support for Redis I promise to never whine about Redis on Twitter again
@mtrojnar @TheAmazingRando how do I reject clients if their client certs aren't signed by our S2S CA or don't belong to a given OU?
-
-
@bascule I'm currently designing an interface to restrict allowed peers based on intermediate certs or CN/SAN/O/OU.@TheAmazingRando -
@mtrojnar@TheAmazingRando cool! However native termination could also enable setting grants/ACLs for e.g. Redis around client certs -
@bascule Please drop me a line with your ideas for preferred configuration syntax. Do you know any existing tools with similar features? -
@mtrojnar well, I don't think this is possible without native termination. MySQL's REQUIRE SUBJECT does what I'm describing -
@bascule Native SSL is always the most flexible. Alternatively, stunnel can send cert info as "proxy" prot. sends IP: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt … -
@mtrojnar oh right, that other fun part where stunnel obscures the client's IP address ;) -
@bascule Proxies do hide client's IP addresses, unless they can use non-local bind feature of the OS kernel (for stunnel: FreeBSD or Linux).
End of conversation
New conversation -
-
-
@bascule Would it work for you if "verify = 3" required the presence of the specified certificate *anywhere* in the chain?@TheAmazingRandoThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@bascule#stunnel authentication is currently based either on the root CA or on the peer certs (with "verify = 4").@TheAmazingRandoThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.