[PR #98] [CLOSED] Split mTLS client and CA certificates handling for improved TLS configuration #121

New Issue

Closed

opened 2025-11-19 07:14:28 -06:00 by GiteaMirror · 0 comments

GiteaMirror commented 2025-11-19 07:14:28 -06:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/fosrl/newt/pull/98
Author: @Pallavikumarimdb
Created: 8/4/2025
Status: ❌ Closed

Base: dev ← Head: feat/Split-mTLS-client-and-CA-certificates

---

📝 Commits (6)

• e1ddad0 Bump github.com/docker/docker in the prod-patch-updates group
• 9e73aab Update flake.nix to 1.4.0
• a0f0b67 Merge pull request #96 from firecat53/main
• 3ccd755 Merge pull request #95 from fosrl/dependabot/go_modules/prod-patch-updates-e08645070f
• 151d0e3 Stop sending requests when you get a terminate
• d52f89f Split mTLS client and CA certificates

📊 Changes

7 files changed (+300 additions, -36 deletions)

View changed files

📝 README.md (+39 -8)
📝 flake.lock (+3 -3)
📝 flake.nix (+2 -2)
📝 go.mod (+1 -1)
📝 go.sum (+2 -2)
📝 main.go (+157 -9)
📝 websocket/client.go (+96 -11)

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

This PR introduces a clearer separation between the mTLS client certificate/key and the CA certificate for the Newt service. The previous implementation used a single certificate path for both client authentication and CA verification. This change introduces the following:

• --tls-client-cert-file: Path to the client certificate used for mTLS
• --tls-client-key: Path to the private key associated with the client certificate
• --tls-client-ca: Path to the CA certificate used to verify the server

Changes made:

• Added three new CLI flags for TLS client certificate, key, and CA.
• Ensured backward compatibility by not removing any existing functionality.

How to test?

Testing:

• Local Docker environment used to simulate mTLS using generated client.key, client.crt, and ca.crt.
• Verified failure when invalid paths are passed and success with correct certs.
• Confirmed mutual TLS handshake is successful with valid certs.

Closes #54

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/newt/pull/98 **Author:** [@Pallavikumarimdb](https://github.com/Pallavikumarimdb) **Created:** 8/4/2025 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `feat/Split-mTLS-client-and-CA-certificates` --- ### 📝 Commits (6) - [`e1ddad0`](https://github.com/fosrl/newt/commit/e1ddad006a47cfd197e0d0e5752411b17ea67179) Bump github.com/docker/docker in the prod-patch-updates group - [`9e73aab`](https://github.com/fosrl/newt/commit/9e73aab21d9bc92b37856c99f0a9d64bde7cb843) Update flake.nix to 1.4.0 - [`a0f0b67`](https://github.com/fosrl/newt/commit/a0f0b674e85e24d555ff0da5f341303b95bfee69) Merge pull request #96 from firecat53/main - [`3ccd755`](https://github.com/fosrl/newt/commit/3ccd755d557af8c891f0ad82313771972a07021d) Merge pull request #95 from fosrl/dependabot/go_modules/prod-patch-updates-e08645070f - [`151d0e3`](https://github.com/fosrl/newt/commit/151d0e38e6b6f63335d9a1023bb8d2da2d3bccb0) Stop sending requests when you get a terminate - [`d52f89f`](https://github.com/fosrl/newt/commit/d52f89f6296dbb46f20553e0f2dbbde5622c77e1) Split mTLS client and CA certificates ### 📊 Changes **7 files changed** (+300 additions, -36 deletions) <details> <summary>View changed files</summary> 📝 `README.md` (+39 -8) 📝 `flake.lock` (+3 -3) 📝 `flake.nix` (+2 -2) 📝 `go.mod` (+1 -1) 📝 `go.sum` (+2 -2) 📝 `main.go` (+157 -9) 📝 `websocket/client.go` (+96 -11) </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description This PR introduces a clearer separation between the mTLS client certificate/key and the CA certificate for the Newt service. The previous implementation used a single certificate path for both client authentication and CA verification. This change introduces the following: * `--tls-client-cert-file`: Path to the client certificate used for mTLS * `--tls-client-key`: Path to the private key associated with the client certificate * `--tls-client-ca`: Path to the CA certificate used to verify the server **Changes made**: * Added three new CLI flags for TLS client certificate, key, and CA. * Ensured backward compatibility by not removing any existing functionality. ## How to test? **Testing**: * Local Docker environment used to simulate mTLS using generated `client.key`, `client.crt`, and `ca.crt`. * Verified failure when invalid paths are passed and success with correct certs. * Confirmed mutual TLS handshake is successful with valid certs. Closes #54 --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2025-11-19 07:14:28 -06:00

GiteaMirror closed this issue 2025-11-19 07:14:29 -06:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/github_actions/docker/build-push-action-7.0.0

dependabot/github_actions/docker/login-action-4.0.0

dependabot/github_actions/aquasecurity/trivy-action-0.35.0

dependabot/go_modules/prod-patch-updates-3194e6d214

dependabot/github_actions/docker/setup-buildx-action-4.0.0

dependabot/github_actions/actions/stale-10.2.0

dependabot/docker/minor-updates-1134f52710

dev

msg-opt

ssh-agent

msg-delivery

icmp2

port-firewall

platform

hp-multi-client

holepunch

updown

1.10.2

v1.10.2

1.10.1

v1.10.1

1.10.0

v1.10.0

1.9.5

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

v1.9.0

1.8.1

v1.8.1

v1.8.0

1.8.0

1.8.0-rc.0

1.7.0

1.6.1

1.7.0-rc.0

1.6.0

v1.0.1

1.4.9

1.5.2

1.5.1

1.5.0

1.4.4

1.4.3

1.4.2

1.4.1

1.4.0

1.3.4

1.3.3

1.3.2

1.3.1

1.3.0

1.2.1

1.2.0

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

bug

enhancement

good first issue

help wanted

Improvement

pull-request

Mirrored from GitHub Pull Request

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/newt#121