Open
Conversation
(cherry-pick from commit c1d4403) As these TLS communications use 'verifyPeer=yes' actually while applying CRLs requires root CA certificates and 'verifyChain=yes'. Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit 2f42df4) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit 139068c) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit c36ed78) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit 6128c1c) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit 632c50f) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit 09a0eb1) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit 6c7b994) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit 6341455) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit 71b8c00) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit 2e8a306) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit 74a0a45) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit 9509a1f) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit 608926c) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit df5b255) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit 2a3a759) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit 2fdfaf4) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit bc6e11b) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit 23fbffc) Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit 36890b6) Signed-off-by: Ming Lu <ming.lu@cloud.com>
Signed-off-by: Ming Lu <ming.lu@cloud.com>
(cherry-pick from commit 8f2abd1) A new LICENSE_SERVER_CERT_CHECK_FAILED is added in LICENSE_CHECKOUT_ERROR with second string of <The unknown leaf server certificate in PEM format>. Now the xe command only prints the second string in this case, it is hard to understand and distinguish with the existing CERTIFICATE_INVALID. So concact the two strings and print. Signed-off-by: Changlei Li <changlei.li@cloud.com>
(cherry-pick from commit fd98c31) Add a module UnixSocketProxy in stunnel lib to provide a unix socket path that can proxy TLS. This can offer a unified mechanism for differnt users. Stunnel listens on the unix socket path, accepts the connection from local request then forwards to remote host and port with TLS. The certificate checking in TLS connection can be done by stunnel with the new trusted-certs implementation. Two set of APIs are provided: 1. long-running stunnel proxy for that the user want to use it multi-times and handle the proxy lifecycle itself. ```OCaml let stunnel_proxy = Stunnel.UnixSocketProxy.start ~verify_cert ~remote_host ~remote_port () in match stunnel_proxy with | Error e -> (* handle error *) | Ok proxy_handle -> let socket_path = Stunnel.UnixSocketProxy.socket_path proxy_handle in (* use socket_path with HTTP clients *) ... Stunnel.UnixSocketProxy.diagnose proxy_handle |> function | Ok () -> (* all good *) | Error err -> (* handle connection errors *) ... Stunnel.UnixSocketProxy.stop proxy_handle (* clean up when done *) ``` 2. short-lived stunnel proxy for that the user just want to use one-shot with auto cleanup. ```OCaml Stunnel.UnixSocketProxy.with_proxy ~verify_cert ~remote_host ~remote_port (fun proxy_handle -> let socket_path = Stunnel.UnixSocketProxy.socket_path proxy_handle in (* use socket_path with HTTP clients *) ... Stunnel.UnixSocketProxy.diagnose proxy_handle) ... ) ``` Signed-off-by: Changlei Li <changlei.li@cloud.com>
(cherry-pick from commit 0430475) Currently, the verify_error relies on "certificate verify failed" and "No certificate or private key specified" in the stunnel log file. In fact, "No certificate or private key specified" is a normal log for stunnel_proxy. It happens on stunnel configuration fail with verbose log enabled. We can remove it and it is covered by "Configuration failed". For "certificate verify failed", it is a indicator for certificate verify fail, but the detail reasons is in previous lines like "CERT: Pre-verification error: unable to get local issuer certificate" "CERT: Subject checks failed". So the "CERT: " line is collected, if "certificate verify failed" is found, the details can be raised out as reason. Signed-off-by: Changlei Li <changlei.li@cloud.com>
(cherry-pick from commit 9e8f41a) In long time running proxy, every time to call diagnose need to read entire the stunnel log. It is inficient. Store the input channel of log file in the proxy t, then the diagnose can read the log from position after the last it is called. Signed-off-by: Changlei Li <changlei.li@cloud.com>
(cherry-pick from commit f9abe00) Signed-off-by: Changlei Li <changlei.li@cloud.com>
Backport changes in a master-based feature branch to a LCM-based new feature branch. This aims to test the feature thoroughly on the LCM branch as well. The original commits are referenced in individual cherry-picked commit messages. The original PRs are: #6863 (2 commits in it, 1 of them has been back ported separately) #6826 #6925 #6886
Signed-off-by: Ming Lu <ming.lu@cloud.com>
No conflicts. One extra commit daef7c7 to bump up schema_minor_vsn.
Signed-off-by: Ming Lu <ming.lu@cloud.com>
Contributor
|
CI fails. Try to sync with 26.1-lcm first? |
changlei-li
approved these changes
Apr 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Feature merge PR.
The merge PR to master branch is #7026