-
Notifications
You must be signed in to change notification settings - Fork 664
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CHANGED] Reload TLS certificates on reconnect #1264
Conversation
piotrpio
commented
May 12, 2023
- Use callbacks when reconnecting to get current cert/key and CAs (similar to credentials)
- Send async error on failed connect (previously only protocol auth errors were reported)
Signed-off-by: Piotr Piotrowski <piotr@synadia.com>
4f0e88f
to
2782dde
Compare
} | ||
if o.TLSConfig == nil { | ||
o.TLSConfig = &tls.Config{MinVersion: tls.VersionTLS12} | ||
} | ||
o.TLSConfig.RootCAs = pool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need to smoke test the callback at least once when building the option here, and return in case there is an error, otherwise it will fail until much later and fall into reconnect logic potentially hiding some of the errors.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good call - done
@@ -2474,6 +2509,9 @@ func (nc *Conn) sendConnect() error { | |||
// Read the rest now... | |||
proto, err = nc.readProto() | |||
if err != nil { | |||
if !nc.initc && nc.Opts.AsyncErrorCB != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These probably help would help with the visibility of the errors that I was mentioning above 👍, still think that might be better to just check that the callbacks won't work at config time (bad path to client cert) on connect than after connect init has started, otherwise I think last error on connect would be no servers available instead of the config error.
Signed-off-by: Piotr Piotrowski <piotr@synadia.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM