Usability of tlsconfig.MTLSClientConfig and tlsconfig.MTLSServerConfig #143
Comments
|
Thanks for opening this, @edwarnicke! I'm sorry you got bit here! One thing to note is that creating a config that works for both server and client is only practical for MTLS since both client and server need the same things (i.e., svid and bundle source with an authorizer). The same cannot be said for the TLS or WebMTLS family of functions. We chose consistency in this case, but I can see your point. Ultimately I'm open to unifying the That being said, your second suggestion might be promising. However, from what I can tell, it might only work definitively when using a "client" config in the server role (by setting the Curious to hear others thoughts.... |
|
Yeah... in fairness, I blame myself, not the go-spiffe lib for getting bit... I raised this because I expect others will get bitten too. It's a deeply cryptic problem to debug if you don't happen to notice by inspection the issue though... so minimally something to make the error more obvious at runtime would be extremely helpful. |
I just spent the better part of half a day stuck with a mysterious inscrutable error from using MTLSServerConfig when I should have used MTLSClientConfig due to copypasta.
That's 100% on me.
I know you guys care a lot about usability, so I thought I'd open a discussion about this being a possible usability problem.
It would be good if either:
or
The text was updated successfully, but these errors were encountered: