Before we dive into client configuration, we should discuss TLS authentication.
Not configuring TLS means plaintext!
First and foremost; if you do not specify the
tls parameters in the client
and server configurations; you will run a plaintext service. While this is
nice for both demo and simple situations, it is likely not suitable for most
production installations, nor is it suitable for anywhere on the edge of the
Please configure TLS. :)
About our implementation
Our TLS implementation requires ECDSA keys right now; this is due to how our transport layer is configured (we did not rewrite TLS in go). You can trivially make a CA and certs with FiloSottile/mkcert that generate the right key pairs, and are suitable for use with tinyci. RSA, which is arguably more prevalent and generated by more programs, will be supported soon.
SNI is enabled and verified; so be sure you have programmed
Generating compatible certs
Here's an example script that can generate certs for
localhost that are
compatible with tinyci. You will need the Golang Toolkit
installed and configured properly, or a installable build of
mkcert from the
go get github.com/FiloSottile/mkcert # only if you didn't install it by hand [ -f /var/ca/rootCA.pem ] || mkcert --ecdsa --install [ -f /var/ca/localhost-server.pem ] || mkcert \ --ecdsa \ --cert-file /var/ca/localhost-server.pem \ --key-file /var/ca/localhost-server.key \ localhost 127.0.0.1 ::1 [ -f /var/ca/localhost-client.pem ] || mkcert \ --client \ --ecdsa \ --cert-file /var/ca/localhost-client.pem \ --key-file /var/ca/localhost-client.key \ localhost 127.0.0.1 ::1
If you're following by example, put this into a file called
generate-localhost.sh and execute it with
bash generate-localhost.sh. We
will use these certs in the next section of the documentation to describe how
the client and server are configured.