Vhost support using multiple TLS certificates #2270
Conversation
![codeclimate[bot]](https://avatars.githubusercontent.com/in/9403?s=60&v=4){kind=small}
|
This pull request has been mentioned on Sanic Community Discussion. There might be relevant details there: |
|
TODO: The last point may be problematic, especially if proxies are used, so it is not implemented at this point. |
Tronic
changed the title
|
I am amazed by the CodeQL static analysis being able to notice that information from a certificate is logged after reading the cert with an undocumented function, with the data being passed a long way until we get to log it. What it does not understand is that the public certificate is not sensitive data. Can we somehow suppress this warning? |
…enable debug mode early so that debug messages during init can be shown.
|
TODO 2: Anything else still overlooked? |
Yes. |
…ting them as needed.
… and use names from the cert if absent.
Tronic
changed the title
Tronic
changed the title
…'s odd message formatting.
|
This needs a review. Ping @sanic-org/framework and also check the related docs PR sanic-org/sanic-guide#71 |
|
@sanic-org/framework If someone will give this a once-over, I'm happy to merge it in as-is. @Tronic thanks for the fast turnaround on this! |
…scked up formatting.
|
Code Climate has analyzed commit bb793fa and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 99.2% (86% is the threshold). This pull request will bring the total coverage in the repository to 86.7% (0.2% change). View more on Code Climate. |
* Initial support for using multiple SSL certificates. * Also list IP address subjectAltNames on log. * Use Python 3.7+ way of specifying TLSv1.2 as the minimum version. Linter fixes. * isort * Cleanup, store server name for later use. Add RSA ciphers. Log rejected SNIs. * Cleanup, linter. * Alter the order of initial log messages and handling. In particular, enable debug mode early so that debug messages during init can be shown. * Store server name (SNI) to conn_info. * Update test with new error message. * Refactor for readability. * Cleanup * Replace old expired test cert with new ones and a script for regenerating them as needed. * Refactor TLS tests to a separate file. * Add cryptography to dev deps for rebuilding TLS certs. * Minor adjustment to messages. * Tests added for new TLS code. * Find the correct log row before testing for message. The order was different on CI. * More log message order fixup. The tests do not account for the logo being printed first. * Another attempt at log message indexing fixup. * Major TLS refactoring. CertSelector now allows dicts and SSLContext within its list. Server names are stored even when no list is used. SSLContext.sanic now contains a dict with any setting passed and information extracted from cert. That information is available on request.conn_info.cert. Type annotations added. More tests incl. a handler for faking hostname in tests. * Remove a problematic logger test that apparently was not adding any coverage or value to anything. * Revert accidental commit of uvloop disable. * Typing fixes / refactoring. * Additional test for cert selection. Certs recreated without DNS:localhost on sanic.example cert. * Add tests for single certificate path shorthand and SNI information. * Move TLS dict processing to CertSimple, make the names field optional and use names from the cert if absent. * Sanic CLI options --tls and --tls-strict-host to use the new features. * SSL argument typing updated * Use ValueError for internal message passing to avoid CertificateError's odd message formatting. * Linter * Test CLI TLS options. * Maybe the right codeclimate option now... * Improved TLS argument help, removed support for combining --cert/--key with --tls. * Removed support for strict checking without any certs, black forced fscked up formatting. * Update CLI tests for stricter TLS options. Co-authored-by: L. Karkkainen <tronic@users.noreply.github.com> Co-authored-by: Adam Hopkins <admhpkns@gmail.com>
Usage:
A connecting client provides TLS SNI which we then use to match against all loaded certificates, using the first one that matches. If no certificates match, the TLS connection gets disconnected prior to any request being made.
This PR also changes default SSLContext creation with more secure settings, so that A and A+ grades are possible on SSL Test.