Currently the install_trust option for CAs from the pki module can only be configured via JSON/API.

Setting TLS to internal with option on_demand is easily possible with a Caddyfile and allows for a quick and simple internal setup. Trust store installation on the machine itself is not necessary and only leads to startup errors being logged from both sudo and caddy.

Therefore it w

As OpenSSL does not support asynchronous read/write duplex, sometimes, the asynchronous read/write logic needs to be changed to consecutive processing. An interface for viewing the job status in internal objects maybe helpful for this.

ASYNC_JOB *SSL_get_job(const SSL *s)
{
    return s->job;
}

Right now in different places in the SE codebase there are references to /opt and then as well to /usr.

All SE code should reference one place only. Could someone please create a PR that fixes this.

This PR should also take PR #454 into consideration (no conflicts)

Is your feature request related to a problem? Please describe.
@munnerz helped debug this today.

Someone set kubernetes.io/ingress.allow-http: "false" on an Ingress resource. When time came to refresh the cert it just hung forever with no errors or event or anything.

Describe the solution you'd like
I'd have liked to see an Event and/or Condition on the Ingress saying "cert-mana

There's little information about what keys and values are in the output, what it means and how they are related to the screen output. In general that needs to be added. (special topics see #1675, #1674)

Problem:

A common pattern is:

GUARD(s2n_stuffer_skip_write(stuffer, bytes_to_write));
uint8_t* ptr = suffer->blob.data + stuffer->write_cursor - bytes_to_write;

which could be simplified.

Solution:

*ptr could be an *out parameter to s2n_stuffer_skip_write

• Does this change what S2N sends over the wire? No.
• Does this change any public APIs? No.

The header file include/mbedtls/compat-1.3.h was meant to somewhat ease the transition from PolarSSL/Mbed TLS 1.3 to Mbed TLS 2.0 (especially as 100% of the public symbols were renamed to include an mbedtls_ prefix).

It no longer makes sense to have it around in Mbed TLS 3.0.

What would you like to be added

Add support for a DynamoDB storage backend. Although MySQL is available, it would require to run a RDS Instance for it. Extra costs, backup considerations, etc. Even with Aurora Serverless.

DynamoDB is just there, scales as needed with OnDemand pricing and has fine backup capabilities.

Why this is needed

We plan to run step-ca in AWS ECS on Farga