Conversation
jxx-gg
commented
Sep 10, 2021
jxx-gg
commented
- The example includes 3 binaries, server, target and client.
- server: it only serves as a proxy, and it doesn't create new sessions.
- target: it registers at the server, and wait for incoming connections. If a supported incoming connection is received, it dials a pre-specified address.
- client: it registers at the server, and tries to dial at the [dialTarget, dialTargetType]. Once a tunnel session is established (via server) to the target, it will connect the tunnel session to the local stdIO. This can be used with ssh's ProxyCommand option (see comments in the client.go for an example command).
- The example included two target type SSH and gNMI.
- mTLS support is also added.
cmd/client/client.go
Outdated
| // --dial_target=target1 \ | ||
| // --dial_target_type=SSH" $USER@localhost | ||
| // mTLS: | ||
| // ssh -o ProxyCommand="client |
There was a problem hiding this comment.
Whitespace to be consistent with above TLS example.
cmd/client/client.go
Outdated
| certFile = flag.String("cert_file", "", "The certificate file location") | ||
| keyFile = flag.String("key_file", "", "The private key file location") | ||
| caFile = flag.String("ca_file", "", "The CA file location (for mTLS). If provided, it will be handled as mTLS") |
There was a problem hiding this comment.
I'm not a TLS expert, so I may be getting something wrong here, but these options are a bit confusing:
In the TLS case -cert_file is used to specify the CA to verify the server.
In the mTLS case -ca_file is used to specify the CA to verify the server, and -cert_file, -key_file are used to specify the client's certificate and key.
What would be more clear is for the -ca_file to always be used to specify the CA to verify the server. You enable mTLS by passing in cert_file, key_file.
There was a problem hiding this comment.
That's a good point. Updated.
… side when cert file or key file are not provided
cmd/client/client.go
Outdated
| dialTargetType = flag.String("dial_target_type", "", "The type of target protocol, e.g. GNMI or SSH.") | ||
| certFile = flag.String("cert_file", "", "The certificate file location. If both cert_file and key_file are provided, mTLS will be used.") | ||
| keyFile = flag.String("key_file", "", "The private key file location. If both cert_file and key_file are provided, mTLS will be used.") | ||
| caFile = flag.String("ca_file", "", "The CA file location (for mTLS)") |
There was a problem hiding this comment.
The help message for ca_file should not include "(for mTLS)"
3 participants
