|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [MirageOS-devel] TLS on Xen
>> On 15 January 2015 at 17:58, Thomas Gazagnaire <thomas@xxxxxxxxxxxxxx> wrote: >>>> - It would be good if you could configure an https server directly in >>>> config.ml. Currently, the need to configure it with a certificate and >>>> private key means this step has to go in the unikernel. >>> >>> would it be possible to do something like for the IP address where we write >>> the IP address in config.ml and then generate main.ml with the same IP >>> printed in (ie. we "lift" the IP value from the configuration language to >>> the main program)? Is there a way to print a server configuration as a >>> string which can be interpreted as an OCaml value? >> >> What's the recommended way to store the private key? I don't want it >> in config.ml because that's part of the source repository. I could >> load it there. I can't deploy via a public GitHub repository if the >> binary contains the key, so maybe it should be stored on a block >> device? > > At the risk of abusing XenStore too much, it could also be written there > with suitably constrained permissions. It would still need to be a block > device for normal cloud providers though. maybe you can load the key when configuring your unikernel ie. it should be available on the filesystem (or somewhere else) where you are configuring your unikernel. in that case you can: - in config.ml: call a function to read the private key - in main.ml: you can generate some code with the hard-coded private key read while configuring Regarding xenstore: I'm still a bit uncomfortable with passing dynamic secret data in there Thomas _______________________________________________ MirageOS-devel mailing list MirageOS-devel@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |