Skip to content

Improve TLS certificate loading, handling and validation #478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jedisct1 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Improve TLS certificate loading, handling and validation #478

jedisct1 wants to merge 2 commits into from

Conversation

@jedisct1
Copy link
Contributor

@jedisct1 jedisct1 commented May 15, 2025

Improved Certificate Loading:

  • Now fails explicitly when no certificates can be loaded
  • Properly reports when CA certificates are unavailable

Better Certificate Validation:

  • Certificate validation checks during connection establishment
  • Added basic validation of certificate data to ensure certificates aren't empty
  • Added proper error handling for invalid DNS names

Proper TLS Connection Validation:

  • Added explicit error handling for TLS connection failures
  • Added logging for certificate validation failures for easier debugging

@jedisct1
Improve TLS certificate loading, handling and validation
609118b 
1. Improved Certificate Loading:
  - Now fails explicitly when no certificates can be loaded
  - Properly reports when CA certificates are unavailable
2. Enhanced Error Handling:
  - Added new error types for specific TLS/certificate validation issues
  - Improved error messages for better diagnostics
3. Better Certificate Validation:
  - Implemented certificate validation checks during connection establishment
  - Added basic validation of certificate data to ensure certificates aren't
empty
  - Added proper error handling for invalid DNS names
4. Proper TLS Connection Validation:
  - Added explicit error handling for TLS connection failures
  - Added logging for certificate validation failures for easier debugging
@cceckman-at-fastly cceckman-at-fastly self-requested a review May 27, 2025 20:54
cceckman-at-fastly
cceckman-at-fastly approved these changes May 28, 2025
View reviewed changes
Copy link
Contributor

@cceckman-at-fastly cceckman-at-fastly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Patched with some syntactic changes - map_err and use of the ?, mostly - to cut out some of the error-handling boilerplate.

@jedisct1 If this looks good to you, it's good to merge IMO!

lib/src/upstream.rs Outdated
};

let remote_addr = tcp.peer_addr()?;
let remote_addr = match tcp.peer_addr() {
Copy link
Contributor

@cceckman-at-fastly cceckman-at-fastly May 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this hunk does anything-

The ? operator applies one or more from/into conversions between the error types. crate::error::Error implements From<std::io::Error> (it's hidden in the little #[from] note on the IoError declaration), so this is just doing (more verbosely) what ? does.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cceckman-at-fastly cceckman-at-fastly cceckman-at-fastly approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jedisct1 @cceckman-at-fastly