Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial cert validation test #2582

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Conversation

benjaminleonard
Copy link
Contributor

Fixes #2580 and related to #2578

Idea from @augustuswm to soft validate the cert. Unfortunately I think we need a library to parse the cert but I lazy imported it to avoid adding to the main bundle since most users will not see this.

Principally the risk here is what I dont know about certs:

  1. wildcard handling might need to be sophisticated
  2. certs that arrange slightly different in a way that parseCertificate() doesn't catch

But feels, like the image soft validation, that it could be a good quality of life improvement for something that is potentially very painful when not done correctly. We might want to label the CN and SAN on the messages list of found names.

image

Copy link

vercel bot commented Nov 27, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated (UTC)
console ✅ Ready (Inspect) Visit Preview Nov 27, 2024 3:33pm

package.json Outdated Show resolved Hide resolved
@benjaminleonard
Copy link
Contributor Author

Added tests, improved wildcard handling and also a message in case the certificate cannot be parsed.

image

Message copy needs work.

@benjaminleonard
Copy link
Contributor Author

Do we have a good way of getting the domain? I vaguely remember some discussion around with the IdP setup.

@charliepark
Copy link
Contributor

@augustuswm
Copy link

This looks awesome, thanks for picking it up. I think initial rack install will certainly benefit from it.

@benjaminleonard
Copy link
Contributor Author

Is this your card? https://github.com/oxidecomputer/console/blob/require_tls_cert/app/forms/idp/util.ts#L16-L17

Do we need some copy to caveat incase that is not correct. I remember some talk about a proxy perhaps throwing it off?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

TLS cert soft failure
4 participants