New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for mTLS #235
base: main
Are you sure you want to change the base?
Add support for mTLS #235
Conversation
🦋 Changeset detectedLatest commit: 041a7c5 The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great looking PR! Thank you so much. I have some feedback, but once that's addressed I'll be happy to merge this.
packages/agent-base/src/index.ts
Outdated
servername: string | undefined, | ||
opts: tls.ConnectionOptions, | ||
socket?: net.Socket, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems weird to me that socket
is optional. Also, let's make it the first parameter:
servername: string | undefined, | |
opts: tls.ConnectionOptions, | |
socket?: net.Socket, | |
socket: net.Socket, | |
servername: string | undefined, | |
opts: tls.ConnectionOptions, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason it was optional was that pac-proxy-agent calls tls.connect without providing a socket. I've made your suggested changes and reverted the changes to pac-proxy-agent for now. Let me know how you would like to proceed in that regard.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. How about if we do something like this in pac-proxy-agent?
socket = net.connect(opts);
if (secureEndpoint) {
const servername = opts.servername || opts.host;
socket = this.upgradeSocketToTls(
socket,
servername,
opts
);
}
@mg-dd Great PR! I need something similar, do you need any help pushing this over the finish line? |
@TooTallNate this is ready for another look. The only open question is how you would like to handle the TLS connection in |
Hi, any news on this? I also need this feature. |
Any news on this? |
@TooTallNate: Would love to see this feature in the proxy agents. Is there anything left to do? |
HI, any update about this PR ? 💯 |
Thank you soo much for maintaining this awesome project ! |
can we move forward on this? what is missing? |
Thank you for this PR ! 🙏 🙏 |
we are using a patch of this pull request in production and it is working well |
This PR fixes two issues:
#194
#234
The background is that the TLS connection established by the proxy agents do not add the required parameters for mTLS / self-signed CAs. This PR adds a way to provide these parameters. The general approach was taken from the feedback from this PR: https://github.com/TooTallNate/proxy-agents/pull/195/files
ptal @TooTallNate