[PR #99] [MERGED] Split mTLS client and CA certificates handling for improved TLS configuration #122

New Issue

Closed

opened 2025-11-19 07:14:30 -06:00 by GiteaMirror · 0 comments

GiteaMirror commented 2025-11-19 07:14:30 -06:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/fosrl/newt/pull/99
Author: @Pallavikumarimdb
Created: 8/4/2025
Status: ✅ Merged
Merged: 8/31/2025
Merged by: @oschwartz10612

Base: main ← Head: feat/Split-mTLS-client-and-CA-certificates

---

📝 Commits (1)

• d52f89f Split mTLS client and CA certificates

📊 Changes

3 files changed (+287 additions, -28 deletions)

View changed files

📝 README.md (+39 -8)
📝 main.go (+152 -9)
📝 websocket/client.go (+96 -11)

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

This PR introduces a clearer separation between the mTLS client certificate/key and the CA certificate for the Newt service. The previous implementation used a single certificate path for both client authentication and CA verification. This change introduces the following:

• --tls-client-cert-file: Path to the client certificate used for mTLS
• --tls-client-key: Path to the private key associated with the client certificate
• --tls-client-ca: Path to the CA certificate used to verify the server

Changes made:

• Added three new CLI flags for TLS client certificate, key, and CA.
• Ensured backward compatibility by not removing any existing functionality.

How to test?

Testing:

• Local Docker environment used to simulate mTLS using generated client.key, client.crt, and ca.crt.
• Verified failure when invalid paths are passed and success with correct certs.
• Confirmed mutual TLS handshake is successful with valid certs.

Closes #54

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/newt/pull/99 **Author:** [@Pallavikumarimdb](https://github.com/Pallavikumarimdb) **Created:** 8/4/2025 **Status:** ✅ Merged **Merged:** 8/31/2025 **Merged by:** [@oschwartz10612](https://github.com/oschwartz10612) **Base:** `main` ← **Head:** `feat/Split-mTLS-client-and-CA-certificates` --- ### 📝 Commits (1) - [`d52f89f`](https://github.com/fosrl/newt/commit/d52f89f6296dbb46f20553e0f2dbbde5622c77e1) Split mTLS client and CA certificates ### 📊 Changes **3 files changed** (+287 additions, -28 deletions) <details> <summary>View changed files</summary> 📝 `README.md` (+39 -8) 📝 `main.go` (+152 -9) 📝 `websocket/client.go` (+96 -11) </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description This PR introduces a clearer separation between the mTLS client certificate/key and the CA certificate for the Newt service. The previous implementation used a single certificate path for both client authentication and CA verification. This change introduces the following: * `--tls-client-cert-file`: Path to the client certificate used for mTLS * `--tls-client-key`: Path to the private key associated with the client certificate * `--tls-client-ca`: Path to the CA certificate used to verify the server **Changes made**: * Added three new CLI flags for TLS client certificate, key, and CA. * Ensured backward compatibility by not removing any existing functionality. ## How to test? **Testing**: * Local Docker environment used to simulate mTLS using generated `client.key`, `client.crt`, and `ca.crt`. * Verified failure when invalid paths are passed and success with correct certs. * Confirmed mutual TLS handshake is successful with valid certs. Closes #54 --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2025-11-19 07:14:30 -06:00

GiteaMirror closed this issue 2025-11-19 07:14:30 -06:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/github_actions/docker/build-push-action-7.0.0

dependabot/github_actions/docker/login-action-4.0.0

dependabot/github_actions/aquasecurity/trivy-action-0.35.0

dependabot/go_modules/prod-patch-updates-3194e6d214

dependabot/github_actions/docker/setup-buildx-action-4.0.0

dependabot/github_actions/actions/stale-10.2.0

dependabot/docker/minor-updates-1134f52710

dev

msg-opt

ssh-agent

msg-delivery

icmp2

port-firewall

platform

hp-multi-client

holepunch

updown

1.10.2

v1.10.2

1.10.1

v1.10.1

1.10.0

v1.10.0

1.9.5

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

v1.9.0

1.8.1

v1.8.1

v1.8.0

1.8.0

1.8.0-rc.0

1.7.0

1.6.1

1.7.0-rc.0

1.6.0

v1.0.1

1.4.9

1.5.2

1.5.1

1.5.0

1.4.4

1.4.3

1.4.2

1.4.1

1.4.0

1.3.4

1.3.3

1.3.2

1.3.1

1.3.0

1.2.1

1.2.0

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

bug

enhancement

good first issue

help wanted

Improvement

pull-request

Mirrored from GitHub Pull Request

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/newt#122