New sub-command: account tls #660
Conversation
|
nats account info already shows basic tls info - that’s where we show connection related things where server * tend to be system user stuff. So I think either extend nats account info with a flag to show tls details else a new nats account sub command might be most in line with current flow ? |
|
I considered that, but to me, It feels like putting this in account is stretching into tech debt misplacement, so I opted to put it in a place which made it clearer what the context is. What I'm not sure about is if this should be part of |
|
Running this (which suggests that nats server tls | perl -ne 'print unless /^-----BEGIN CERTIFICATE-----$/../^-----END CERTIFICATE-----$/' yields output: |
|
well, perhaps And accessing this data isnt system specific or admin stuff - its for everyone, every connection - so despite the name perhaps being bad, nats account info is the right place to render this in considering current existing features. |
|
Okay, will move it. And I think I'll add |
|
yeah I think it would need to be opt-in like --pem to not spam all nats account info output with this |
philpennock
force-pushed
the
pdp/server-tls
branch
from
8046485
to
7379093
Compare
|
I went with your "else a new nats account sub command" because this really is quite a bit of data which isn't directly useful for the normal flow, and also went with your request to make the PEM be opt-in. Using octothorpe So, |
|
Cool, will review in the new year in depth |
|
We might also consider |
|
Is this output format some kind of standard? It's not super user friendly but if its a standard format then fine, otherwise maybe more in-line with the rest of the tool design as a table or somethihng? |
Not standard, but using comments is fine in PEM certificate files, they'll be ignored. It's generally a good idea to decorate the PEM certs in a file, to explain which cert it is you're looking at. Thus the model of using this combined with PEM emission. I think it would be more annoying to switch when PEM certs are included so am inclined to leave it in this format if that's fine. |
|
Ah, now the use case makes sense, ok - well then it makes sense to always emit the PEM data anyway (I mainly didnt want PEM noise along with friendly ux stuff) but here it makes sense |
philpennock
force-pushed
the
pdp/server-tls
branch
from
f6cb4da
to
9d69612
Compare
|
Okay, switched to needing |
Running `nats account tls` will report all the valid TLS chains verified by the client for the current TLS connection. Each chain shows the PEM-encoded form of each cert in the chain, preceded by some hopefully-useful data as comments. Add `--no-pem` to skip the PEM and leave the comments. We'll warn, and exit with an error, if we're within 1 week of the expiration of a certificate. This is adjustable with a flag. Exiting if a cert has expired is not adjustable (but shouldn't happen with verified chains). There's logic for OCSP verification, taken from my smtpdane tool (I'm the copyright holder of that tool so this is fine, relicensing this copied 20 line snippet as part of natscli).
philpennock
force-pushed
the
pdp/server-tls
branch
from
9d69612
to
458dfa6
Compare
|
Rebased/squashed and merged. Thanks! |
Running
nats server tlswill report all the valid TLS chains verified by the client for the current TLS connection. Each chain shows the PEM-encoded form of each cert in the chain, preceded by some hopefully-useful data as comments.We'll warn, and exit with an error, if we're within 1 week of the expiration of a certificate. This is adjustable with a flag. Exiting if a cert has expired is not adjustable (but shouldn't happen with verified chains).
There's logic for OCSP verification, taken from my smtpdane tool (I'm the copyright holder of that tool so this is fine, relicensing this copied 20 line snippet as part of natscli).
Warning: I'm unable to get OCSP stapling working with a server in my setup, so I haven't been able to properly test the OCSP output mode. The tool of mine I copied it from, works fine with this.