tls

It seems Caddy does not support wildcards/ expression matching in the reverse proxy's header_up.

For example this does not remove any headers:

header_up -X-SHIBBOLETH-*

This works as expected, but is limited in its use:

header_up -X-SHIBBOLETH-LOGIN

It'd be great if Caddy would support wildcards/ expression matching in the reverse proxy's header_up/ header_down.

Right now in different places in the SE codebase there are references to /opt and then as well to /usr.

All SE code should reference one place only. Could someone please create a PR that fixes this.

This PR should also take PR #454 into consideration (no conflicts)

Is your feature request related to a problem? Please describe.

jetstack/cert-manager#3607 implies that certificates are not re-issued if key usages change. This behaviour should be documented and tested with an appropriate conformance test.

https://cert-manager.io/docs/usage/certificate/ should be updated as well

Additional context
https://github.com/jets

There's little information about what keys and values are in the output, what it means and how they are related to the screen output. In general that needs to be added. (special topics see #1675, #1674)

Problem:

A common pattern is:

GUARD(s2n_stuffer_skip_write(stuffer, bytes_to_write));
uint8_t* ptr = suffer->blob.data + stuffer->write_cursor - bytes_to_write;

which could be simplified.

Solution:

*ptr could be an *out parameter to s2n_stuffer_skip_write

• Does this change what S2N sends over the wire? No.
• Does this change any public APIs? No.

FreeBSD uses an rc.d framework for starting up applications. The pidfile is a special case because it is used by the rc system itself. It's used to tell rc how to check the status of the controlled program, or how to stop it. It's not the responsibility of rc to write the pidfile. That falls to the controlled program.

step-ca appears to lack support for creating a pidfile, It's a desirable enha

In test_suite_psa_crypto, for historical reasons, tests of operation setup (hash_setup, mac_key_policy, cipher_key_policy, aead_key_policy) sometimes use one-shot operations and sometimes multi-part operations. Preferably, when both are possible, they should all test both, since we can't be sure that the checks are in the proper place to be done in all cases.