-
-
Notifications
You must be signed in to change notification settings - Fork 158
Add Opportunistic TLS implementation #302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Opportunistic TLS implementation #302
Conversation
c45aa34 to
6bf2080
Compare
6bf2080 to
454673d
Compare
da6bc3c to
1c1cb5a
Compare
0275788 to
5216b9e
Compare
WyriHaximus
commented
Dec 7, 2022
Thanks to a suggestion from @clue I managed to drop the dependency on reactphp/async#65
@SimonFrings
SimonFrings
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added some remarks and suggestions for the documentation, same suggestions are also important for the doc-blocks inside the added classes.
5216b9e to
f86e4f8
Compare
WyriHaximus
commented
Dec 17, 2022
I added some remarks and suggestions for the documentation, same suggestions are also important for the doc-blocks inside the added classes.
@SimonFrings Let me know if you have any more pointers? Will apply them to the docblocks later today
This commit introduces the functionality required to build opportunistic TLS clients and servers with ReactPHP. It does so by introducing a prefix to `tls://`, namely `opportunistic`, to create `opportunistic+tls://example.com:5432` for example as the full URL. This will create an `OpportunisticTlsConnectionInterface` (instead of a `ConnectionInterface`) that extends the `ConnectionInterface` and exposes the `enableEncryption` method to enable TLS encryption at the desired moment. Inside this PR is an example of a server and client negotiating when to enable TLS and enable it when ready. Opportunistic Security described in RFC7435: https://www.rfc-editor.org/rfc/rfc7435 External PR using the proposed changes in this commit: voryx/PgAsync#52
f86e4f8 to
fb5c2e7
Compare
WyriHaximus
commented
Dec 20, 2022
@SimonFrings Updated the doc blocks
@SimonFrings
SimonFrings
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for updating, texts and the overall code structure are looking fine 👍
I am not very experienced when it comes to opportunistic TLS, so I can't really review if this is exactly the way to introduce this to the project, but the rest looks good to me.
WyriHaximus
commented
Jan 2, 2023
Thanks for updating, texts and the overall code structure are looking fine 👍
👍
I am not very experienced when it comes to opportunistic TLS, so I can't really review if this is exactly the way to introduce this to the project, but the rest looks good to me.
The only reason I found out STARTSSL is a flavor of opportunistic TLS is because I started working on voryx/PgAsync#52, did a writedown of the why at https://blog.wyrihaximus.net/2023/01/migrating-from-self-hosted-in-k8s-databases-to-managed-hosted-at-digital-ocean/. That is also why I started with STARTTLS and ended up with opportunistic TLS just providing the barebones to do it and not implement some standard on top of it.
WyriHaximus
commented
May 1, 2023
As discussed, I've extracted this into a package: https://github.com/WyriHaximus/reactphp-opportunistic-tls
mbonneau
commented
Sep 22, 2024
Hello, is there a roadmap on when this can be merged?
WyriHaximus
commented
Jul 20, 2025
Hello, is there a roadmap on when this can be merged?
Just released this in a separate package as v1, currently updating voryx/PgAsync#52 to make sure TLS modes are being tested.
Uh oh!
There was an error while loading. Please reload this page.
This PR introduces the functionality required to build opportunistic TLS clients and servers with ReactPHP. It does so by introducing a prefix to
tls://, namelyopportunistic, to createopportunistic+tls://example.com:5432for example as the full URL. This will create anOpportunisticTlsConnectionInterface(instead of aConnectionInterface) that extends theConnectionInterfaceand exposes theenableEncryptionmethod to enable TLS encryption at the desired moment. Inside this PR is an example of a server and client negotiating when to enable TLS and enable it when ready.Opportunistic Security described in RFC7435: https://www.rfc-editor.org/rfc/rfc7435
External PR using the proposed changes in this PR: voryx/PgAsync#52