| Top | |
|
|
|
The configuration for libtlssep typically resides at /etc/tlssep-decorator-api-version.cfg.
An example configuration is shown below.
certpath = "/etc/pki/tls/certs/cert.pem";
privkeypath = "/etc/pki/tls/certs/key.pem";
verification = ( "ca" );
programs = ({
path = "/usr/bin/my-prototype";
verification = ( "ca", "self-signed" );
enough = 1;
})
You might find this syntax familiar if you have studied CertShim, as CertShim provided the inspiration for libtlssep's configuration engine. The first three lines specify the global configuration parameters; in this case, the path to a certificate and private key as well as the default certificate-trust model.
The application-specific statement beginning on Line 5
overrides the configuration when
tlssep-decorator acts on behalf of /usr/bin/my-prototype
so that the program
chains two verification techniques:
the traditional CA model
and
self-signed certificates,
with the latter presumably supported for development purposes.
Here the meaning of the enough parameter
resembles CertShim's vote:
satisfying one of
either CA
or
self-signed verification
is sufficient for this application.
Had the administrator set enough to 2,
the application would require that both verifications be successful;
in the absence of an enough parameter, tlssep-decorator will enforce
all of the specified verification techniques.
An administrator could select other trust models here without making any changes to application source code.