tls

I’m trying to script setup and configuration of caddy server based on a custom download that includes additional plugins (caddy-auth-portal, caddy-auth-jwt, caddy-trace, and various caddy-dns modules ).

During setup, the caddy unit file is configured to run caddy as a non priveledged user (by design).

To get certificates configured properly we are attempting to use the caddy trust command

Right now in different places in the SE codebase there are references to /opt and then as well to /usr.

All SE code should reference one place only. Could someone please create a PR that fixes this.

This PR should also take PR #454 into consideration (no conflicts)

Is your feature request related to a problem? Please describe.

jetstack/cert-manager#3607 implies that certificates are not re-issued if key usages change. This behaviour should be documented and tested with an appropriate conformance test.

https://cert-manager.io/docs/usage/certificate/ should be updated as well

Additional context
https://github.com/jets

There's little information about what keys and values are in the output, what it means and how they are related to the screen output. In general that needs to be added. (special topics see #1675, #1674)

Problem:

A common pattern is:

GUARD(s2n_stuffer_skip_write(stuffer, bytes_to_write));
uint8_t* ptr = suffer->blob.data + stuffer->write_cursor - bytes_to_write;

which could be simplified.

Solution:

*ptr could be an *out parameter to s2n_stuffer_skip_write

• Does this change what S2N sends over the wire? No.
• Does this change any public APIs? No.

What would you like to be added

We can't query smallstep for anything related to certs because the only thing in the DB is the bytes of the cert. Storing the cert alongside more columns like the common name, not after date, and more, would let us enable more complex queries, and optimize performance for future use cases.

Why this is needed

Enable searching of Certificates signed by attrib

Suggested enhancement

The max_content_len (in and out) is configurable at compile time only. It is used in mbedtls_ssl_setup for alloc memory.

Justification

When in need of having 2 tls sessions to different servers, even if one server is not supporting max_content_len, both sessions are forced to have 16k of IN buffer since it is a compile time option. If configurable at run time,