Currently, OCSP responses that aren't signed by the root CA will fail
with a verification error. This change allows intermediates, or
designated responders, to sign responses on behalf of the CA.
Currently when using TLS based authentication, any domain components
that could be present in the cert will be omitted since Go's
ToRDNSequence is not including them:
202c43b2ad/src/crypto/x509/pkix/pkix.go (L226-L245)
This commit adds support to include the domain components in case
present, also roughly following the order suggested at:
https://tools.ietf.org/html/rfc2253
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
Also try multiple email and SANs found in cert until one valid
otherwise, default to the subject in the cert.
```
authorization {
users [
{ user = "app.nats.dev", permissions = {
publish {
allow = ["sandbox.>"]
}
subscribe {
allow = ["sandbox.>"]
}
}
}
]
}
```
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
Based on @softkbot PR #913.
Removed the command line parameter, which then removes the need for Options.Cluster.TLSInsecure.
Added a test with config reload.
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
When enabling verify and map as part of its TLS config
a the subject from TLS cert can now be used to confirm
the identity of a gateway.
```
gateway {
tls {
cert_file = "./configs/certs/tlsauth/server.pem"
key_file = "./configs/certs/tlsauth/server-key.pem"
ca_file = "./configs/certs/tlsauth/ca.pem"
verify_and_map = true
timeout = 2
}
authorization {
user = "CN=localhost,OU=NATS.io Operators"
}
}
```
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
Similar as with clients, this makes it possible to
use the subject from a TLS certificate to validate
the permissions from a cluster member.
Currently only a single configured user is supported:
```
cluster {
tls {
cert_file = "./configs/certs/tlsauth/server.pem"
key_file = "./configs/certs/tlsauth/server-key.pem"
ca_file = "./configs/certs/tlsauth/ca.pem"
verify_and_map = true
timeout = 2
}
permissions {
publish {
allow = ["public.>"]
}
subscribe {
allow = ["public.>"]
}
}
authorization {
user = "CN=localhost,OU=NATS.io Operators"
}
}
```
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
