tls

Context: https://caddy.community/t/including-files-scripts/15050/4

Right now, the templates module is inflexible in that only functions the functions registered by Caddy itself are available.

A good refactor would be to make it possible to pass an optional array of modules in the http.handlers.templates.functions.* namespace which get invoked at Provision() time to register additional

Currently the PKCS12_parse() fails if it is called on mac-less PKCS12 files. Given the KDF used with the MAC algorithm in PKCS12 is not FIPS compliant it would be desirable to allow mac-less PKCS12 files.

The PR would need to include some tests for PKCS12_parse API as there are currently none.

Right now in different places in the SE codebase there are references to /opt and then as well to /usr.

All SE code should reference one place only. Could someone please create a PR that fixes this.

This PR should also take PR #454 into consideration (no conflicts)

Is your feature request related to a problem? Please describe.
The current Helm chart does not support adding labels to the generated ServiceAccount resources.

Describe the solution you'd like
Add support for serviceAccount.labels in helm chart, in addition to the already existing serviceAccount.annotations

Describe alternatives you've considered
Managing ServiceAccoun

Which version are you referring to
3.1dev

We list not all RFCs in ~/doc/ which we refer to in testssl.sh.

List used RFCs: grep RFC -w ./testssl.sh | grep -v TLS_CIPHER | grep RFC | sed 's/^.*RFC/RFC/' | sort -u
List RFCs referred to: grep -w RFC doc/testssl.1

Problem:

A common pattern is:

GUARD(s2n_stuffer_skip_write(stuffer, bytes_to_write));
uint8_t* ptr = suffer->blob.data + stuffer->write_cursor - bytes_to_write;

which could be simplified.

Solution:

*ptr could be an *out parameter to s2n_stuffer_skip_write

• Does this change what S2N sends over the wire? No.
• Does this change any public APIs? No.

The recommendation is to set Cache-Control: private, no-store on any endpoint with sensitive information. Because while you can protect the traffic with TLS, you also need to keep sensitive information out of a client's (unencrypted) HTTP cache. I'm not sure how relevant this is to the API context of step-ca though—I've never seen an HTTP client library that caches content. But I guess the poi

Suggested enhancement

Either a direct accessor function to retrieve the public component of an mbedtls_ecp_keypair, or a function to write out the public key to a binary buffer. Similarly, a way to create an mbedtls_ecp_keypair structure containing only the public part of the key.

Justification

Mbed TLS needs this because the public key component was made private.