tailscale

TheArchive/tailscale

Fork 0

mirror of https://github.com/tailscale/tailscale.git synced 2025-04-03 14:55:47 +00:00

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	7fac0175c0	cmd/derper, derp/derphttp: support, generate self-signed IP address certs For people who can't use LetsEncrypt because it's banned. Per https://github.com/tailscale/tailscale/issues/11776#issuecomment-2520955317 This does two things: 1) if you run derper with --certmode=manual and --hostname=$IP_ADDRESS we previously permitted, but now we also: * auto-generate the self-signed cert for you if it doesn't yet exist on disk * print out the derpmap configuration you need to use that self-signed cert 2) teaches derp/derphttp's derp dialer to verify the signature of self-signed TLS certs, if so declared in the existing DERPNode.CertName field, which previously existed for domain fronting, separating out the dial hostname from how certs are validates, so it's not overloaded much; that's what it was meant for. Fixes #11776 Change-Id: Ie72d12f209416bb7e8325fe0838cd2c66342c5cf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2025-03-07 05:36:55 -08:00
Brad Fitzpatrick	87546a5edf	cmd/derper: allow absent SNI when using manual certs and IP literal for hostname Updates #11776 Change-Id: I81756415feb630da093833accc3074903ebd84a7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2024-12-05 09:56:48 -08:00

Author

SHA1

Message

Date

Brad Fitzpatrick

7fac0175c0

cmd/derper, derp/derphttp: support, generate self-signed IP address certs

For people who can't use LetsEncrypt because it's banned.

Per https://github.com/tailscale/tailscale/issues/11776#issuecomment-2520955317

This does two things:

1) if you run derper with --certmode=manual and --hostname=$IP_ADDRESS
   we previously permitted, but now we also:
   * auto-generate the self-signed cert for you if it doesn't yet exist on disk
   * print out the derpmap configuration you need to use that
     self-signed cert

2) teaches derp/derphttp's derp dialer to verify the signature of
   self-signed TLS certs, if so declared in the existing
   DERPNode.CertName field, which previously existed for domain fronting,
   separating out the dial hostname from how certs are validates,
   so it's not overloaded much; that's what it was meant for.

Fixes #11776

Change-Id: Ie72d12f209416bb7e8325fe0838cd2c66342c5cf
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

2025-03-07 05:36:55 -08:00

Brad Fitzpatrick

87546a5edf

cmd/derper: allow absent SNI when using manual certs and IP literal for hostname

Updates #11776

Change-Id: I81756415feb630da093833accc3074903ebd84a7
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

2024-12-05 09:56:48 -08:00

2 Commits