Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ADDED] LeafNode: TLSHandshakeFirst option #4119

Merged
merged 1 commit into from May 1, 2023
Merged

[ADDED] LeafNode: TLSHandshakeFirst option #4119

merged 1 commit into from May 1, 2023

Conversation

kozlovic
Copy link
Member

@kozlovic kozlovic commented May 1, 2023

A new field in tls{} blocks force the server to do TLS handshake before sending the INFO protocol.

leafnodes {
   port: 7422
   tls {
      cert_file: ...
      ...
      handshake_first: true
   }
   remotes [
       {
         url: tls://host:7423
         tls {
            ...
            handshake_first: true
         }
       }
   ]
}

Note that if handshake_first is set in the "accept" side, the first tls{} block in the example above, a server trying to create a LeafNode connection to this server would need to have handshake_first set to true inside the tls{} block of the corresponding remote.

Configuration reload of leafnodes is generally not supported, but TLS certificates can be reloaded and the support for this new field was also added.

Signed-off-by: Ivan Kozlovic ivan@synadia.com

@kozlovic
[ADDED] LeafNode: TLSHandhsakeFirst option
0a02f21 
A new field in `tls{}` blocks force the server to do TLS handshake
before sending the INFO protocol.
```
leafnodes {
   port: 7422
   tls {
      cert_file: ...
      ...
      handshake_first: true
   }
   remotes [
       {
         url: tls://host:7423
         tls {
            ...
            handshake_first: true
         }
       }
   ]
}
```
Note that if `handshake_first` is set in the "accept" side, the
first `tls{}` block in the example above, a server trying to
create a LeafNode connection to this server would need to have
`handshake_first` set to true inside the `tls{}` block of
the corresponding remote.

Configuration reload of leafnodes is generally not supported,
but TLS certificates can be reloaded and the support for this
new field was also added.

Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
@kozlovic kozlovic requested a review from a team as a code owner May 1, 2023 22:53
@kozlovic kozlovic changed the title [ADDED] LeafNode: TLSHandhsakeFirst option [ADDED] LeafNode: TLSHandshakeFirst option May 1, 2023
derekcollison
derekcollison approved these changes May 1, 2023
View reviewed changes
Copy link
Member

@derekcollison derekcollison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@derekcollison derekcollison merged commit c242292 into dev May 1, 2023
2 checks passed
@derekcollison derekcollison deleted the leaf_tls_first branch May 1, 2023 23:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derekcollison derekcollison derekcollison approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@kozlovic @derekcollison