Minimum viable SSL connection #5228
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is documentation for a manual process that will be incrementally automated.
fishface60
force-pushed
the
ssl-client
branch
from
fe9437e to
198bd3c
Compare
SocketConnection has two constructors, either one wrapping an existing socket or one that creates the socket when started. Creating the socket from just the host and port is insufficiently flexible for supporting SSL sockets and since the only difference for how to handle SSL sockets is how they are created, making creation more flexible is the minimal change required to support them.
For now this could plausibly be a boolean in RemoteServerConfig.Socket but it is expected to grow additional complication.
This also adds support for rptools-maptool+tcps URIs to connect to SSL servers over the command-line. This adds the useSSL flag to an existing variant as the minimal change.
fishface60
force-pushed
the
ssl-client
branch
from
198bd3c to
b292439
Compare
|
I assume the final intent of this change is to move everything into MT and not require any manual set up, or socat or openssl commands to be run or installed on the users machines? |
|
On Wed, 12 Feb 2025, 01:17 Craig Wisniewski, ***@***.***> wrote:
I assume the final intent of this change is to move everything into MT and
not require any manual set up, or socat or openssl commands to be run or
installed on the users machines?
Yep, the plan is that this CA stuff becomes automated and users are
prompted to trust the CA certificate on first use and verified through some
secure back-channel like the PIN is.
I suppose I could have named the PR better.
I think I called it Minimum Viable because if you really wanted to a GM
could set things up manually and it wouldn't be a huge hassle for players
to use.
The big document is partly "here's an explanation of how it works" but
right now it's more useful for being able to test it at all. After
everything is finished it's probably only there for historical interest and
could be mostly or entirely removed.
… |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Identify the Bug or Feature request
Works towards #5164
Description of the Change
Most of the change is documenting how to set up a CA from MapTool's RSA keys, generate certificates and create the SSL tunnel.
The code change is adding support for creating an SSLSocket instead of a regular Socket and the URIs and Dialog to opt into using SSL.
Possible Drawbacks
Having a "Use SSL" checkbox to connect to a MapTool server behind a SSL port without corresponding config to create an SSL server is confusing.
Release Notes
doc/SSL.mdfor documentation on how to create and configure certificates while the manual steps have yet to be automated.This change is