You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Allow the tang pin to authenticate to the Tang server with mutual TLS.
Three new optional config properties are accepted by clevis-encrypt-tang:
cacert - CA bundle to verify the server certificate (curl --cacert)
cert - client certificate for mTLS (curl --cert)
key - private key for the client certificate (curl --key)
When none are set, behaviour is unchanged. The paths are persisted into
the JWE protected header so clevis-decrypt-tang reuses them for the
recovery (POST /rec) request without extra configuration.
Add a pin-tang-mtls integration test (TLS-fronted tangd via socat with
mandatory client-cert verification) plus tang_generate_certs and
tang_run_mtls helpers. The test skips cleanly when openssl or a
socat built with OpenSSL support is unavailable.
0 commit comments