[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MirageOS-devel] TLS on Xen



>> On 15 January 2015 at 17:58, Thomas Gazagnaire <thomas@xxxxxxxxxxxxxx> wrote:
>>>> - It would be good if you could configure an https server directly in
>>>> config.ml. Currently, the need to configure it with a certificate and
>>>> private key means this step has to go in the unikernel.
>>> 
>>> would it be possible to do something like for the IP address where we write 
>>> the IP address in config.ml and then generate main.ml with the same IP 
>>> printed in (ie. we "lift" the IP value from the configuration language to 
>>> the main program)? Is there a way to print a server configuration as a 
>>> string which can be interpreted as an OCaml value?
>> 
>> What's the recommended way to store the private key? I don't want it
>> in config.ml because that's part of the source repository. I could
>> load it there. I can't deploy via a public GitHub repository if the
>> binary contains the key, so maybe it should be stored on a block
>> device?
> 
> At the risk of abusing XenStore too much, it could also be written there
> with suitably constrained permissions.  It would still need to be a block
> device for normal cloud providers though.

maybe you can load the key when configuring your unikernel ie. it should be 
available on the filesystem (or somewhere else) where you are configuring your 
unikernel.

in that case you can:
- in config.ml: call a function to read the private key
- in main.ml: you can generate some code with the hard-coded private key read 
while configuring

Regarding xenstore: I'm still a bit uncomfortable with passing dynamic secret 
data in there

Thomas
_______________________________________________
MirageOS-devel mailing list
MirageOS-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.